General

  • Target

    284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2

  • Size

    197KB

  • Sample

    220924-25ddzacdb7

  • MD5

    e9bea2fcfe2d5db06689cb740d2acf80

  • SHA1

    df53499ece31d0768e64cd155239fd9b99d3d6c1

  • SHA256

    284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2

  • SHA512

    40b44782ffba0e8aac41627bd2aaf80bc2d6906cdcd7752cb9eac3be606b3eadea9d6069195ffb18db24019580e89f5f0f82b4cc49f6bd2497903f67909a968d

  • SSDEEP

    3072:lPsFfSLiJblJhN5muBiRnYB/k3E2Fp64zDWGpBMY/PkkXx:JLklJ1gYdf6BzD

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2

    • Size

      197KB

    • MD5

      e9bea2fcfe2d5db06689cb740d2acf80

    • SHA1

      df53499ece31d0768e64cd155239fd9b99d3d6c1

    • SHA256

      284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2

    • SHA512

      40b44782ffba0e8aac41627bd2aaf80bc2d6906cdcd7752cb9eac3be606b3eadea9d6069195ffb18db24019580e89f5f0f82b4cc49f6bd2497903f67909a968d

    • SSDEEP

      3072:lPsFfSLiJblJhN5muBiRnYB/k3E2Fp64zDWGpBMY/PkkXx:JLklJ1gYdf6BzD

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks