General

  • Target

    36b524a7a3b444ebe042a71bcd6fab2a615371e036a8c6a3514e78dc2c9445f1

  • Size

    399KB

  • Sample

    240905-wk1e4swfkr

  • MD5

    05b66bfebe0f44b1eb15ede797adbecd

  • SHA1

    6a9227f4cdc2cd60f594ccf4a265a39bea7bdeab

  • SHA256

    36b524a7a3b444ebe042a71bcd6fab2a615371e036a8c6a3514e78dc2c9445f1

  • SHA512

    1cae3a1419d42c0b131e475549731d4e37cb64e9e945451308bca32f1667ef4621ab8aeaf794f66b6a9e510c1368aa6fafdd52c6dd618e2afddaff043c877517

  • SSDEEP

    6144:0Epz3ZfyHfWBmYALwRzU3EHHxdzJF0PwVFdgiR4i/OP3A:0Epz3ZfyHfWB7o3EHRdFFwEOc48

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      36b524a7a3b444ebe042a71bcd6fab2a615371e036a8c6a3514e78dc2c9445f1

    • Size

      399KB

    • MD5

      05b66bfebe0f44b1eb15ede797adbecd

    • SHA1

      6a9227f4cdc2cd60f594ccf4a265a39bea7bdeab

    • SHA256

      36b524a7a3b444ebe042a71bcd6fab2a615371e036a8c6a3514e78dc2c9445f1

    • SHA512

      1cae3a1419d42c0b131e475549731d4e37cb64e9e945451308bca32f1667ef4621ab8aeaf794f66b6a9e510c1368aa6fafdd52c6dd618e2afddaff043c877517

    • SSDEEP

      6144:0Epz3ZfyHfWBmYALwRzU3EHHxdzJF0PwVFdgiR4i/OP3A:0Epz3ZfyHfWB7o3EHRdFFwEOc48

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks