General

  • Target

    5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd.exe

  • Size

    290KB

  • Sample

    240615-bxsktayapr

  • MD5

    985584f5b7be5d605c1264624f4bd68e

  • SHA1

    8efbf3680021b3fb3b68094ee5296dcabb5abc1a

  • SHA256

    5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd

  • SHA512

    e6c582d168f066c031161b8b098114edd95f5fde5c70eb1e8150fb44fd3520a4be7e9e71195c3c58078d7b9802e053ffa3e452a87965eb9e6a0ac580ccd8e34b

  • SSDEEP

    3072:NNnq5gpiR+cS7kBapQOm47e6rGyQqKCHRsJFULJtkSUyHbmcnTVaz42JVOrTKYj:rq5gN70xee6treFD7y7mcnTVaBJVOrT

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd.exe

    • Size

      290KB

    • MD5

      985584f5b7be5d605c1264624f4bd68e

    • SHA1

      8efbf3680021b3fb3b68094ee5296dcabb5abc1a

    • SHA256

      5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd

    • SHA512

      e6c582d168f066c031161b8b098114edd95f5fde5c70eb1e8150fb44fd3520a4be7e9e71195c3c58078d7b9802e053ffa3e452a87965eb9e6a0ac580ccd8e34b

    • SSDEEP

      3072:NNnq5gpiR+cS7kBapQOm47e6rGyQqKCHRsJFULJtkSUyHbmcnTVaz42JVOrTKYj:rq5gN70xee6treFD7y7mcnTVaBJVOrT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks