General

  • Target

    6144c9369be2e903bdd67a73d031dac6e9edf69d54956ce1de82749ad4c0759f

  • Size

    191KB

  • Sample

    240904-fcy93svdnn

  • MD5

    57d8986f5db1704c0d6a46f1c6cbd77e

  • SHA1

    8d1761161e37a7c071d19700cb2b3a073d28f6f0

  • SHA256

    6144c9369be2e903bdd67a73d031dac6e9edf69d54956ce1de82749ad4c0759f

  • SHA512

    cbe09dd61dbf004195fef0dbe15c4abe6eaa6d7f6cfdf87b6019f46a585eedd3f97ff9f9da924bd9e673655096e005058cf3a2f6799b31cbce9ab9966ddeb6b6

  • SSDEEP

    3072:jH+lBBpz9/vh9yxqucBeJAD/MsgzPl5LjRZkpyqp29yOyb1:SBpz9/vh9yxWe+0sgzP/LjRZoJH

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      6144c9369be2e903bdd67a73d031dac6e9edf69d54956ce1de82749ad4c0759f

    • Size

      191KB

    • MD5

      57d8986f5db1704c0d6a46f1c6cbd77e

    • SHA1

      8d1761161e37a7c071d19700cb2b3a073d28f6f0

    • SHA256

      6144c9369be2e903bdd67a73d031dac6e9edf69d54956ce1de82749ad4c0759f

    • SHA512

      cbe09dd61dbf004195fef0dbe15c4abe6eaa6d7f6cfdf87b6019f46a585eedd3f97ff9f9da924bd9e673655096e005058cf3a2f6799b31cbce9ab9966ddeb6b6

    • SSDEEP

      3072:jH+lBBpz9/vh9yxqucBeJAD/MsgzPl5LjRZkpyqp29yOyb1:SBpz9/vh9yxWe+0sgzP/LjRZoJH

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks