General

  • Target

    file.exe

  • Size

    256KB

  • Sample

    231106-xgbs1sef93

  • MD5

    c135eaba9517cb400a5450d1af73134f

  • SHA1

    a6643daebf25fcc64ef564d2dee5b3c484a48136

  • SHA256

    1327b49af2122db5ddab590f1366dadec3e9991dae64f4c7f904cf100c27a2d1

  • SHA512

    699f3b924625d043a9c8f181b411d3d90571ea211f7608846aeec2fcb7b9fc75250d48e290b73d68df0cba7786d89bd447875615592753a60d3cfce70f621350

  • SSDEEP

    3072:7hGRctTaRSnvqHBHF0FwIzerZPzqYfY7lQYGfdtjXBY7Oty8xljoLe3woGOQi:NTaRavaGFw5Z7qYBYSjBAOE8zoK3wo

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      256KB

    • MD5

      c135eaba9517cb400a5450d1af73134f

    • SHA1

      a6643daebf25fcc64ef564d2dee5b3c484a48136

    • SHA256

      1327b49af2122db5ddab590f1366dadec3e9991dae64f4c7f904cf100c27a2d1

    • SHA512

      699f3b924625d043a9c8f181b411d3d90571ea211f7608846aeec2fcb7b9fc75250d48e290b73d68df0cba7786d89bd447875615592753a60d3cfce70f621350

    • SSDEEP

      3072:7hGRctTaRSnvqHBHF0FwIzerZPzqYfY7lQYGfdtjXBY7Oty8xljoLe3woGOQi:NTaRavaGFw5Z7qYBYSjBAOE8zoK3wo

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks