General

  • Target

    14f786175f9af49c0b778aaef2072760f96ee7b35146f99f0283f95fec9e63e1

  • Size

    10.0MB

  • Sample

    211130-tjf9qsfdfr

  • MD5

    db37427c0df4037ae438918b0e693485

  • SHA1

    e2174a50d56be469103f0354e89c1b5816605c5a

  • SHA256

    14f786175f9af49c0b778aaef2072760f96ee7b35146f99f0283f95fec9e63e1

  • SHA512

    6d6b45b8dc768924d2a7050ddc7601cf02483f9b827a86fe29c48c55f1d8b4cc667af8fd05ab8eea2f37e21380ddfbdeea1e3ca5da00b4ddf5e0077e8be83bb6

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      14f786175f9af49c0b778aaef2072760f96ee7b35146f99f0283f95fec9e63e1

    • Size

      10.0MB

    • MD5

      db37427c0df4037ae438918b0e693485

    • SHA1

      e2174a50d56be469103f0354e89c1b5816605c5a

    • SHA256

      14f786175f9af49c0b778aaef2072760f96ee7b35146f99f0283f95fec9e63e1

    • SHA512

      6d6b45b8dc768924d2a7050ddc7601cf02483f9b827a86fe29c48c55f1d8b4cc667af8fd05ab8eea2f37e21380ddfbdeea1e3ca5da00b4ddf5e0077e8be83bb6

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks