General

  • Target

    a2f750ea33e71a374a0e40cb66bad6cb

  • Size

    10.7MB

  • Sample

    201214-tqcywy2456

  • MD5

    a2f750ea33e71a374a0e40cb66bad6cb

  • SHA1

    c13139c6d890e4c4fa7772751c4459a74f9ec382

  • SHA256

    0f1625c8dfa3634a83f6a378fba14c07da2289d78881bc10b03ff06b87f3597d

  • SHA512

    739f55776c23f55646261154873fc3c29ed53506e54703d2989ac796443b65947b197a71b7a21f273d2d81c299759d8247f3d2be9a58004e02aa02a8ddc66f80

Malware Config

Targets

    • Target

      a2f750ea33e71a374a0e40cb66bad6cb

    • Size

      10.7MB

    • MD5

      a2f750ea33e71a374a0e40cb66bad6cb

    • SHA1

      c13139c6d890e4c4fa7772751c4459a74f9ec382

    • SHA256

      0f1625c8dfa3634a83f6a378fba14c07da2289d78881bc10b03ff06b87f3597d

    • SHA512

      739f55776c23f55646261154873fc3c29ed53506e54703d2989ac796443b65947b197a71b7a21f273d2d81c299759d8247f3d2be9a58004e02aa02a8ddc66f80

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Tasks