General

  • Target

    file.exe

  • Size

    278KB

  • Sample

    231121-l17t1sed5x

  • MD5

    04be506f95725779d037a8b95dabb7e7

  • SHA1

    c7545e5fda8c6d69c4474bece19640ef371933d0

  • SHA256

    2b46bdbe9369c12a57b45985d45c7793a65866b9b39b31affc868cfe2e6e9d2f

  • SHA512

    34eca68df3884c53363fd642948de57493733350cce5831b7c7d3485125b88ea25f05a9a36e60e4cf4c711f70398c87754ff4e2ea264934ee6a66ebc17f9e800

  • SSDEEP

    3072:nL9A+CYJSUuHGYWajKZj98TASMmeHWX7GKGZeHQDznrhz7:ljJuHNW8sj98kSbPX7GcQp

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      278KB

    • MD5

      04be506f95725779d037a8b95dabb7e7

    • SHA1

      c7545e5fda8c6d69c4474bece19640ef371933d0

    • SHA256

      2b46bdbe9369c12a57b45985d45c7793a65866b9b39b31affc868cfe2e6e9d2f

    • SHA512

      34eca68df3884c53363fd642948de57493733350cce5831b7c7d3485125b88ea25f05a9a36e60e4cf4c711f70398c87754ff4e2ea264934ee6a66ebc17f9e800

    • SSDEEP

      3072:nL9A+CYJSUuHGYWajKZj98TASMmeHWX7GKGZeHQDznrhz7:ljJuHNW8sj98kSbPX7GcQp

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks