General

  • Target

    file.exe

  • Size

    276KB

  • Sample

    221202-j96xzahg63

  • MD5

    04c62424433988aed6944dc558855824

  • SHA1

    cb6c87d5dc521549084a92e26330340f56086f24

  • SHA256

    514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f

  • SHA512

    c69cbbaa911f951b984927a9d772f043b47f157e512ffdc19d585de49af99a8a5b56944e1b34ad92906c297176909c86c9baf8a34057fe11669dcb2c344cebff

  • SSDEEP

    3072:qJq486qfLrfPDC1tq5q6rxBWRmk821kjOzSGyCAIMuJcbP2BcWtV0ofAfpBtShIJ:R1fLbDC1nUFBOz7cgvVSpKuRjMgU

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      276KB

    • MD5

      04c62424433988aed6944dc558855824

    • SHA1

      cb6c87d5dc521549084a92e26330340f56086f24

    • SHA256

      514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f

    • SHA512

      c69cbbaa911f951b984927a9d772f043b47f157e512ffdc19d585de49af99a8a5b56944e1b34ad92906c297176909c86c9baf8a34057fe11669dcb2c344cebff

    • SSDEEP

      3072:qJq486qfLrfPDC1tq5q6rxBWRmk821kjOzSGyCAIMuJcbP2BcWtV0ofAfpBtShIJ:R1fLbDC1nUFBOz7cgvVSpKuRjMgU

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks