General

  • Target

    04a4ae292035cdb08ed939c6d104477a71f19396bb413d8258e618bfe19e1018

  • Size

    196KB

  • Sample

    220924-wcpnmsbfh4

  • MD5

    10ca914ac3dffb4ea2fea05db291a14e

  • SHA1

    5aeaf990cd8c88d38a14677797261ac950d174cb

  • SHA256

    04a4ae292035cdb08ed939c6d104477a71f19396bb413d8258e618bfe19e1018

  • SHA512

    72fc17e3bbad99bdf05df0bd3e1f59a99de9c1ade75042f1e19af66e1d55b195e040f4473c74c549bc400f7cc70078ff00c132466cf677209657bfdf2d690827

  • SSDEEP

    3072:njZ0ppLMOIV1A5jzi+wV5ilKPInP3dkCEBKd8uy/Pkk4x:jiLoVF+MyKIP3dnCu

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      04a4ae292035cdb08ed939c6d104477a71f19396bb413d8258e618bfe19e1018

    • Size

      196KB

    • MD5

      10ca914ac3dffb4ea2fea05db291a14e

    • SHA1

      5aeaf990cd8c88d38a14677797261ac950d174cb

    • SHA256

      04a4ae292035cdb08ed939c6d104477a71f19396bb413d8258e618bfe19e1018

    • SHA512

      72fc17e3bbad99bdf05df0bd3e1f59a99de9c1ade75042f1e19af66e1d55b195e040f4473c74c549bc400f7cc70078ff00c132466cf677209657bfdf2d690827

    • SSDEEP

      3072:njZ0ppLMOIV1A5jzi+wV5ilKPInP3dkCEBKd8uy/Pkk4x:jiLoVF+MyKIP3dnCu

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks