General

  • Target

    52403e9ecb979da03968dee33f93d82195840c1dfa78d603bb3a0438411fef9d

  • Size

    309KB

  • Sample

    220620-e5yzcaeear

  • MD5

    b018a63655e1b744520f6722d46543c8

  • SHA1

    a87df4af49329c313e31a327a1f6de604a858d18

  • SHA256

    52403e9ecb979da03968dee33f93d82195840c1dfa78d603bb3a0438411fef9d

  • SHA512

    8cc920a18a06c9ebeb17e14a47ca262bee23109943f9026ddaa09bb72edb402e56ebd41849f9fee302641cdef9736118504901408ad7d9a78c8291fa9045b686

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      52403e9ecb979da03968dee33f93d82195840c1dfa78d603bb3a0438411fef9d

    • Size

      309KB

    • MD5

      b018a63655e1b744520f6722d46543c8

    • SHA1

      a87df4af49329c313e31a327a1f6de604a858d18

    • SHA256

      52403e9ecb979da03968dee33f93d82195840c1dfa78d603bb3a0438411fef9d

    • SHA512

      8cc920a18a06c9ebeb17e14a47ca262bee23109943f9026ddaa09bb72edb402e56ebd41849f9fee302641cdef9736118504901408ad7d9a78c8291fa9045b686

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks