Resubmissions

23-01-2022 08:31

220123-kesbrsffaq 10

23-01-2022 08:05

220123-jyzdrafedm 10

General

  • Target

    46f6a592ad2c7f7fd7b4febd7d5945dde92b39fca05ef4f707a754bbcbf43f02

  • Size

    249KB

  • Sample

    220123-kesbrsffaq

  • MD5

    699f1f7aaace9f5e66e41e0b2a96074e

  • SHA1

    cd9b07ed916ba114fc23b7a71ea67b659b91e2a0

  • SHA256

    46f6a592ad2c7f7fd7b4febd7d5945dde92b39fca05ef4f707a754bbcbf43f02

  • SHA512

    470faae440b4cc5329c8e6428e566f3bac390fbd9833e5036a96797992b9f8db8e69f9c275913a9c87214ec905064ab7a03e5c6e55a82e3af6f066799f741a0f

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Targets

    • Target

      46f6a592ad2c7f7fd7b4febd7d5945dde92b39fca05ef4f707a754bbcbf43f02

    • Size

      249KB

    • MD5

      699f1f7aaace9f5e66e41e0b2a96074e

    • SHA1

      cd9b07ed916ba114fc23b7a71ea67b659b91e2a0

    • SHA256

      46f6a592ad2c7f7fd7b4febd7d5945dde92b39fca05ef4f707a754bbcbf43f02

    • SHA512

      470faae440b4cc5329c8e6428e566f3bac390fbd9833e5036a96797992b9f8db8e69f9c275913a9c87214ec905064ab7a03e5c6e55a82e3af6f066799f741a0f

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Tasks