General

  • Target

    aff9ab5bd7309235fdfc643d535f89da

  • Size

    15.0MB

  • Sample

    201214-a8r4w5jwwe

  • MD5

    aff9ab5bd7309235fdfc643d535f89da

  • SHA1

    7cbf21edc211abbf977f2ed01e317166e00c84ab

  • SHA256

    83f46bbf5414ef3e3eba95cbabf5b48802e01a426e14d4ebe51e6a6b6c67a574

  • SHA512

    0839288097ed86580fae041b59ac51aceac24e22ba5aef9bd50865de2dc2d897608dde150c4a6cc240bb9cab16a49b1c36d84bde9d07b761b3251878d7ca4cd2

Malware Config

Targets

    • Target

      aff9ab5bd7309235fdfc643d535f89da

    • Size

      15.0MB

    • MD5

      aff9ab5bd7309235fdfc643d535f89da

    • SHA1

      7cbf21edc211abbf977f2ed01e317166e00c84ab

    • SHA256

      83f46bbf5414ef3e3eba95cbabf5b48802e01a426e14d4ebe51e6a6b6c67a574

    • SHA512

      0839288097ed86580fae041b59ac51aceac24e22ba5aef9bd50865de2dc2d897608dde150c4a6cc240bb9cab16a49b1c36d84bde9d07b761b3251878d7ca4cd2

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Tasks