General

  • Target

    45967aa94e05993a238471256c76cf50_NeikiAnalytics

  • Size

    10.0MB

  • Sample

    240510-cfz41afg57

  • MD5

    45967aa94e05993a238471256c76cf50

  • SHA1

    7eac6fa92215523db5d653d7908cac6f4d98886e

  • SHA256

    b95cdea4530305336110efedcb5c7253abe364a9dcffd3480d0e2eeb7cf7d22d

  • SHA512

    725d93c0a67569e877a0bcf1ee4b66eeec722b416079e0925c14088c303d06f2471a06dc419dbefe943650c2f426caf50294f663fb5dbd35b3d4c8abdc775abf

  • SSDEEP

    49152:TQfztttttttttttttttttttttttttttttttttttttttttttttttttttttttttttN:TQ

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      45967aa94e05993a238471256c76cf50_NeikiAnalytics

    • Size

      10.0MB

    • MD5

      45967aa94e05993a238471256c76cf50

    • SHA1

      7eac6fa92215523db5d653d7908cac6f4d98886e

    • SHA256

      b95cdea4530305336110efedcb5c7253abe364a9dcffd3480d0e2eeb7cf7d22d

    • SHA512

      725d93c0a67569e877a0bcf1ee4b66eeec722b416079e0925c14088c303d06f2471a06dc419dbefe943650c2f426caf50294f663fb5dbd35b3d4c8abdc775abf

    • SSDEEP

      49152:TQfztttttttttttttttttttttttttttttttttttttttttttttttttttttttttttN:TQ

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks