General

  • Target

    ecb302e999e0959abd9bdd330401ea9f

  • Size

    196KB

  • Sample

    220924-ysl9kabhd4

  • MD5

    ecb302e999e0959abd9bdd330401ea9f

  • SHA1

    529e9342005a6295d865fa4d1188126229b2a0bd

  • SHA256

    eb6bda9737c6ace5c9f38b44dba312f18fe0bf044b4848817c17b4e1a74d90b9

  • SHA512

    1f084be926b1fe6f68bc0637e762c4d407a6f8b8d8a90b3f9157120beca96409d0cba495675f9fe1490f4c61840c96762d364ecb2dd27ac2376a4e526c38639f

  • SSDEEP

    3072:D1nI7LRgcLJA5gRrHSq6yz7F52jPaiPGONFHNRJtBc94al+/PkkXx:SLtLR5/hnSjSi+ONFtRKBl

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      ecb302e999e0959abd9bdd330401ea9f

    • Size

      196KB

    • MD5

      ecb302e999e0959abd9bdd330401ea9f

    • SHA1

      529e9342005a6295d865fa4d1188126229b2a0bd

    • SHA256

      eb6bda9737c6ace5c9f38b44dba312f18fe0bf044b4848817c17b4e1a74d90b9

    • SHA512

      1f084be926b1fe6f68bc0637e762c4d407a6f8b8d8a90b3f9157120beca96409d0cba495675f9fe1490f4c61840c96762d364ecb2dd27ac2376a4e526c38639f

    • SSDEEP

      3072:D1nI7LRgcLJA5gRrHSq6yz7F52jPaiPGONFHNRJtBc94al+/PkkXx:SLtLR5/hnSjSi+ONFtRKBl

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks