General

  • Target

    a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405

  • Size

    315KB

  • Sample

    220731-hwc73adgd5

  • MD5

    ba8869744b32796d25afeb3c0647c3a7

  • SHA1

    f9c34582937abffc2d06b05a1446a5c37662a23a

  • SHA256

    a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405

  • SHA512

    758f82f4262ef7095656040fae62eb1df7f3c66399a03b009d7f29f68677a2d6f481f2d2e047b1b0d9155b416dc4099eb10652d75fa9d753cc626739ad330981

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405

    • Size

      315KB

    • MD5

      ba8869744b32796d25afeb3c0647c3a7

    • SHA1

      f9c34582937abffc2d06b05a1446a5c37662a23a

    • SHA256

      a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405

    • SHA512

      758f82f4262ef7095656040fae62eb1df7f3c66399a03b009d7f29f68677a2d6f481f2d2e047b1b0d9155b416dc4099eb10652d75fa9d753cc626739ad330981

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks