General

  • Target

    qkkcfptf.exe

  • Size

    11.6MB

  • Sample

    240903-vgvvsa1fnj

  • MD5

    fed6d9f141d4ac6b3388a2c90722bd62

  • SHA1

    3480f699c94d4a520c8d92dfd2f6c84d5bd9668b

  • SHA256

    b84685b177c7bbd6e54c0cd81f5ac41c02e2c77a400b71a830636f93a686eaaf

  • SHA512

    f678216084e177bc51879d697f6e4201449874ed1c6f4c41fc1cb62aecf8ed5c3ab17784c1d30c481ee99c727fe0a29cd2854bdcaf554b3da425d59b5e957719

  • SSDEEP

    6144:rc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:r1OZDisvwdaxO0PuG1R4CWs

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      qkkcfptf.exe

    • Size

      11.6MB

    • MD5

      fed6d9f141d4ac6b3388a2c90722bd62

    • SHA1

      3480f699c94d4a520c8d92dfd2f6c84d5bd9668b

    • SHA256

      b84685b177c7bbd6e54c0cd81f5ac41c02e2c77a400b71a830636f93a686eaaf

    • SHA512

      f678216084e177bc51879d697f6e4201449874ed1c6f4c41fc1cb62aecf8ed5c3ab17784c1d30c481ee99c727fe0a29cd2854bdcaf554b3da425d59b5e957719

    • SSDEEP

      6144:rc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:r1OZDisvwdaxO0PuG1R4CWs

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks