General

  • Target

    a975a4357dff0d55c2735b6dabd3e9b5

  • Size

    10.2MB

  • Sample

    201214-vp967912v2

  • MD5

    a975a4357dff0d55c2735b6dabd3e9b5

  • SHA1

    cc1fd964f342e02ce7720230930eab539e283fc0

  • SHA256

    e7063186f189d960fb77b95e6bb42928c523bddae8c6525fbfc564b73fcdd8cc

  • SHA512

    8f53ada7139d9f5e96158ad5c8a138d3d336ea3058daed17518a3bbd57d6b9cf4a33a423a587008b78f52a94658817f15a8662ae48e7ad39af85258ded72fb16

Malware Config

Targets

    • Target

      a975a4357dff0d55c2735b6dabd3e9b5

    • Size

      10.2MB

    • MD5

      a975a4357dff0d55c2735b6dabd3e9b5

    • SHA1

      cc1fd964f342e02ce7720230930eab539e283fc0

    • SHA256

      e7063186f189d960fb77b95e6bb42928c523bddae8c6525fbfc564b73fcdd8cc

    • SHA512

      8f53ada7139d9f5e96158ad5c8a138d3d336ea3058daed17518a3bbd57d6b9cf4a33a423a587008b78f52a94658817f15a8662ae48e7ad39af85258ded72fb16

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Tasks