General

  • Target

    file.exe

  • Size

    276KB

  • Sample

    221202-h5jq7sec55

  • MD5

    010f80610ed8b65773d1a85863c4df30

  • SHA1

    ef9746a7ecc34f0cfd22fec39a4d8b24674abfed

  • SHA256

    b88b9ed4918755d2ee5d4e8ec49915b6b0991cff51fd6d65f75e02757af71d10

  • SHA512

    fc62a6875922e8aa069618baf4c0dd608440b8b6e79c91016d37a094472983f98e4f62dce2aff9334bd5ab7c58408b9e280ab2bb4e1067f3166a144c9c8359d0

  • SSDEEP

    3072:NQge8WCBrrL4v8CVtq5qDGyKdhpHqPmgTDrtQYaVi5MXYhIh3eGjMgG1ao5Lk:NV/Lq8CVnD4h9qPmgTHqpQVuRjMgU

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      276KB

    • MD5

      010f80610ed8b65773d1a85863c4df30

    • SHA1

      ef9746a7ecc34f0cfd22fec39a4d8b24674abfed

    • SHA256

      b88b9ed4918755d2ee5d4e8ec49915b6b0991cff51fd6d65f75e02757af71d10

    • SHA512

      fc62a6875922e8aa069618baf4c0dd608440b8b6e79c91016d37a094472983f98e4f62dce2aff9334bd5ab7c58408b9e280ab2bb4e1067f3166a144c9c8359d0

    • SSDEEP

      3072:NQge8WCBrrL4v8CVtq5qDGyKdhpHqPmgTDrtQYaVi5MXYhIh3eGjMgG1ao5Lk:NV/Lq8CVnD4h9qPmgTHqpQVuRjMgU

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks