General

  • Target

    file.exe

  • Size

    228KB

  • Sample

    231121-j5jxmsdc25

  • MD5

    98a6e1822713de89f26b0bfaf4f50d97

  • SHA1

    92daf88970adc6e488213319201816a5a59d2d53

  • SHA256

    aa55631f758db92cf673fa0cc63dc03781f3ad86ffa61ba31a9eb73140ab9de2

  • SHA512

    0881b7027c7c361e47b73f596a4820c628f715e26339bec4f71fb44a4c17a4c28f7149065cfc7fc71f36c6836d70ed3b7603acce5ece5a3affc166b6a35a2a57

  • SSDEEP

    3072:ZhADULG/X+32wZXTOMgepSGaIrOe1od08Eqnm1yGdvHLDzI57:uOGW35ZX5PpSGaIloPE919lbI5

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      228KB

    • MD5

      98a6e1822713de89f26b0bfaf4f50d97

    • SHA1

      92daf88970adc6e488213319201816a5a59d2d53

    • SHA256

      aa55631f758db92cf673fa0cc63dc03781f3ad86ffa61ba31a9eb73140ab9de2

    • SHA512

      0881b7027c7c361e47b73f596a4820c628f715e26339bec4f71fb44a4c17a4c28f7149065cfc7fc71f36c6836d70ed3b7603acce5ece5a3affc166b6a35a2a57

    • SSDEEP

      3072:ZhADULG/X+32wZXTOMgepSGaIrOe1od08Eqnm1yGdvHLDzI57:uOGW35ZX5PpSGaIloPE919lbI5

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks