General

  • Target

    knkduwqg.exe

  • Size

    11.8MB

  • Sample

    240903-vgsqessfqa

  • MD5

    b32f61c5c47e9473cf4a0ac98e8143c1

  • SHA1

    d6de6d48a87510f4ba641785e56311a4732dcf26

  • SHA256

    2d49ab2f33264eb29d38ab91a7c6dc193a6a0fa65260b0295b1123c18612d7c5

  • SHA512

    cc0cc0499616d0277920597b7beb8ee0b53d99c9e8d8c827c6e2244dc9a98785a848f17368f6991d362f9b6f76cd3a1f7ebcc31e99c34097c458872336ab5c21

  • SSDEEP

    6144:9c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:91OZDisvwdaxO0PuG1R4CWs

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      knkduwqg.exe

    • Size

      11.8MB

    • MD5

      b32f61c5c47e9473cf4a0ac98e8143c1

    • SHA1

      d6de6d48a87510f4ba641785e56311a4732dcf26

    • SHA256

      2d49ab2f33264eb29d38ab91a7c6dc193a6a0fa65260b0295b1123c18612d7c5

    • SHA512

      cc0cc0499616d0277920597b7beb8ee0b53d99c9e8d8c827c6e2244dc9a98785a848f17368f6991d362f9b6f76cd3a1f7ebcc31e99c34097c458872336ab5c21

    • SSDEEP

      6144:9c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:91OZDisvwdaxO0PuG1R4CWs

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks