General

  • Target

    395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c

  • Size

    142KB

  • Sample

    220625-nepsesccd4

  • MD5

    fb665d4a9976f7a8d7d53b4ee8d3a3fd

  • SHA1

    b2bcda3ea607a76f1f96d7b464bcec2950bc3da4

  • SHA256

    395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c

  • SHA512

    78bcc6ac3db476f1bb330c3bbf0fd18306d184c1b2ca189aa20bbd5dd0728a824f475141375ccb194aac76aefde1afc6dcfc0d34e348d8bc415f86dcf4f55ad7

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c

    • Size

      142KB

    • MD5

      fb665d4a9976f7a8d7d53b4ee8d3a3fd

    • SHA1

      b2bcda3ea607a76f1f96d7b464bcec2950bc3da4

    • SHA256

      395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c

    • SHA512

      78bcc6ac3db476f1bb330c3bbf0fd18306d184c1b2ca189aa20bbd5dd0728a824f475141375ccb194aac76aefde1afc6dcfc0d34e348d8bc415f86dcf4f55ad7

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks