General

  • Target

    27ca44d4fca5a29c0018efeebbda04250739a546e4b7879bd5a547aaea1de80d.exe

  • Size

    415KB

  • Sample

    240921-ve7rkasgmf

  • MD5

    1c5083792acfccf5d90db80884569ace

  • SHA1

    6be243663a2d173dcd728146f2a3d1a5a974ff38

  • SHA256

    27ca44d4fca5a29c0018efeebbda04250739a546e4b7879bd5a547aaea1de80d

  • SHA512

    8af309adcaed0055ca8b2c879a1ff16e9d0d853ab3837c94719d09c03bf27b32125581f525ef99caa4488b184bfc5565b033333cd4af9e4240aa23963dd76a1b

  • SSDEEP

    6144:+nhYTBI6ONsWWqOaejSlD8viNV43Km3Wlz8+5FXCnFk:2aTy6OlO3GDyYnSC

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      27ca44d4fca5a29c0018efeebbda04250739a546e4b7879bd5a547aaea1de80d.exe

    • Size

      415KB

    • MD5

      1c5083792acfccf5d90db80884569ace

    • SHA1

      6be243663a2d173dcd728146f2a3d1a5a974ff38

    • SHA256

      27ca44d4fca5a29c0018efeebbda04250739a546e4b7879bd5a547aaea1de80d

    • SHA512

      8af309adcaed0055ca8b2c879a1ff16e9d0d853ab3837c94719d09c03bf27b32125581f525ef99caa4488b184bfc5565b033333cd4af9e4240aa23963dd76a1b

    • SSDEEP

      6144:+nhYTBI6ONsWWqOaejSlD8viNV43Km3Wlz8+5FXCnFk:2aTy6OlO3GDyYnSC

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks