General

  • Target

    file

  • Size

    327KB

  • Sample

    230529-sfl55scd28

  • MD5

    f4e4532af8047a15ae7040a12801d18d

  • SHA1

    3931db953fc1a08dd436bbba3d07f00c9010c0f5

  • SHA256

    f1b14007a26d653067be8c62a58f74b016510a9319f397af6bc25563af031134

  • SHA512

    84927da999e23bf8bd35629d2f028bdcf3db7d866369d67d8e8c142ba937b8eccb22bc5f959dcc31d43153fc843344b8966967d3bb6df78221f0c42a16a3d687

  • SSDEEP

    3072:pl9KGMGYbcp6z/CO0HL4LPvwo4DX6r4e4hXodaGhrOdf2L/5yX0eIGl1qoMfpT:QGTuXzELOXwo4a4eCodaGV405UoX

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      327KB

    • MD5

      f4e4532af8047a15ae7040a12801d18d

    • SHA1

      3931db953fc1a08dd436bbba3d07f00c9010c0f5

    • SHA256

      f1b14007a26d653067be8c62a58f74b016510a9319f397af6bc25563af031134

    • SHA512

      84927da999e23bf8bd35629d2f028bdcf3db7d866369d67d8e8c142ba937b8eccb22bc5f959dcc31d43153fc843344b8966967d3bb6df78221f0c42a16a3d687

    • SSDEEP

      3072:pl9KGMGYbcp6z/CO0HL4LPvwo4DX6r4e4hXodaGhrOdf2L/5yX0eIGl1qoMfpT:QGTuXzELOXwo4a4eCodaGV405UoX

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks