General

  • Target

    vbojcjwr.exe

  • Size

    14.6MB

  • Sample

    240903-h6s19ssbmf

  • MD5

    0b6833eac88372fe36ddb7217eca8b41

  • SHA1

    240c3b81c19be5b09d140bbd9a35060f4a7a7573

  • SHA256

    4a5face1152fe18fd167e2f785857e0e4266997ff8d74285fa920bcb83523ca8

  • SHA512

    2d60e25ba50d496b3f359deb713e2c206edbffb6bd2233729ad0bba87cb247ba5bb6a3c0f6d3a6f5bcde3b58e3c58259490c62bff14769efff6f77280069519b

  • SSDEEP

    6144:qw0VDy74AW/47pwSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSn:qw0VD7AW/49

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      vbojcjwr.exe

    • Size

      14.6MB

    • MD5

      0b6833eac88372fe36ddb7217eca8b41

    • SHA1

      240c3b81c19be5b09d140bbd9a35060f4a7a7573

    • SHA256

      4a5face1152fe18fd167e2f785857e0e4266997ff8d74285fa920bcb83523ca8

    • SHA512

      2d60e25ba50d496b3f359deb713e2c206edbffb6bd2233729ad0bba87cb247ba5bb6a3c0f6d3a6f5bcde3b58e3c58259490c62bff14769efff6f77280069519b

    • SSDEEP

      6144:qw0VDy74AW/47pwSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSn:qw0VD7AW/49

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks