General

  • Target

    file.exe

  • Size

    299KB

  • Sample

    230206-xdf9bsae8y

  • MD5

    ca8dd6f47d5d394a0a7579c7e8e83c39

  • SHA1

    8035dab4c17144e77c1dff36c5c76d68e8c505f3

  • SHA256

    84e3be0472538cf0bd58385dc694f4ee839e12e713ebb620f533fc8b69ae2110

  • SHA512

    8cc7857355a04d2b53ad2029c47f53d245fec118646bad782e9b8d68e59367631098587cc83810b79d393645d8d07120f396dde810917bf4382b229aa92aa5ca

  • SSDEEP

    6144:C69rELImH1DXMEXR/Mk4vVyhmuQj9n32a:CUoE/EXR/MzYmljFG

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      299KB

    • MD5

      ca8dd6f47d5d394a0a7579c7e8e83c39

    • SHA1

      8035dab4c17144e77c1dff36c5c76d68e8c505f3

    • SHA256

      84e3be0472538cf0bd58385dc694f4ee839e12e713ebb620f533fc8b69ae2110

    • SHA512

      8cc7857355a04d2b53ad2029c47f53d245fec118646bad782e9b8d68e59367631098587cc83810b79d393645d8d07120f396dde810917bf4382b229aa92aa5ca

    • SSDEEP

      6144:C69rELImH1DXMEXR/Mk4vVyhmuQj9n32a:CUoE/EXR/MzYmljFG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks