General

  • Target

    NEAS.9252b13000a99f5e020122fd7a7108389a22e55676f4739ab73b5c08fcfea57bexe_JC.exe

  • Size

    284KB

  • Sample

    231026-xss7fagc25

  • MD5

    c42c3e82a22d4dd981b9cf1766cc01f9

  • SHA1

    e2619e1ca9fd82151c5fda94281be42d80dfa363

  • SHA256

    9252b13000a99f5e020122fd7a7108389a22e55676f4739ab73b5c08fcfea57b

  • SHA512

    c11c5343c1bd62075983f40937942d7bf9e94b006f6cfe2a9ec46f3bfba7555d69a005e3274c86aa2f8de17703951b605aa0517398eb24af612f450962193f8c

  • SSDEEP

    3072:CCVXnHc4YObHa5o/LKtATUSQm/RvdGT7gfDVqNhR4/jQafEZB75aD/bVs7JQkibv:VnHc4Nb65o/L0Awb41Go7Vkr8EU7b0

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.9252b13000a99f5e020122fd7a7108389a22e55676f4739ab73b5c08fcfea57bexe_JC.exe

    • Size

      284KB

    • MD5

      c42c3e82a22d4dd981b9cf1766cc01f9

    • SHA1

      e2619e1ca9fd82151c5fda94281be42d80dfa363

    • SHA256

      9252b13000a99f5e020122fd7a7108389a22e55676f4739ab73b5c08fcfea57b

    • SHA512

      c11c5343c1bd62075983f40937942d7bf9e94b006f6cfe2a9ec46f3bfba7555d69a005e3274c86aa2f8de17703951b605aa0517398eb24af612f450962193f8c

    • SSDEEP

      3072:CCVXnHc4YObHa5o/LKtATUSQm/RvdGT7gfDVqNhR4/jQafEZB75aD/bVs7JQkibv:VnHc4Nb65o/L0Awb41Go7Vkr8EU7b0

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks