tofsee | dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d | Triage

Sharing

General

Target

dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
Size

11.1MB
Sample

240511-j63q5sgc8v
MD5

0ad58678a408902fd64f7af414738868
SHA1

c3f7da6f93660d26259ceafb4c4d13cb7160455e
SHA256

dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
SHA512

2f441ca748ec8cd9e94a6759979caa64c30c1d10ba6931cf36288dd65596bc9445dec79d2b47bf3e2d9e82358a5ca05574513123c49f0eba23470585d3e68e54
SSDEEP

12288:mSpmG/1+U3VGAnqy5iXBhULiprrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr:L/1+U3Q6ixyLi

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
- Size
  
  11.1MB
- MD5
  
  0ad58678a408902fd64f7af414738868
- SHA1
  
  c3f7da6f93660d26259ceafb4c4d13cb7160455e
- SHA256
  
  dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
- SHA512
  
  2f441ca748ec8cd9e94a6759979caa64c30c1d10ba6931cf36288dd65596bc9445dec79d2b47bf3e2d9e82358a5ca05574513123c49f0eba23470585d3e68e54
- SSDEEP
  
  12288:mSpmG/1+U3VGAnqy5iXBhULiprrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr:L/1+U3Q6ixyLi
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan