General

  • Target

    57dd3e0f5422b1a894b0b9de7ffcba951b37c82966866363fab31050ce89ddc2

  • Size

    146KB

  • Sample

    221129-2wqmyafa96

  • MD5

    060da2e646a7e13deb80cea961165c1d

  • SHA1

    65689391b1898adc630e4c88e2bca939118592fd

  • SHA256

    57dd3e0f5422b1a894b0b9de7ffcba951b37c82966866363fab31050ce89ddc2

  • SHA512

    113af8be30e663fcd2ac89a6984e81969b83d295a8b9536845ad1dc6ffcb79f1f8c15f49e6ee48a2b55218d9c628e28fc676952c4c84e4abfba0db341391d844

  • SSDEEP

    3072:rDJP/dU+27P52zUp5A9ORQR6uUu7qTTFjycsDFvY4PjBi:5Hda52f4RQAuU9Tdcjg

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      57dd3e0f5422b1a894b0b9de7ffcba951b37c82966866363fab31050ce89ddc2

    • Size

      146KB

    • MD5

      060da2e646a7e13deb80cea961165c1d

    • SHA1

      65689391b1898adc630e4c88e2bca939118592fd

    • SHA256

      57dd3e0f5422b1a894b0b9de7ffcba951b37c82966866363fab31050ce89ddc2

    • SHA512

      113af8be30e663fcd2ac89a6984e81969b83d295a8b9536845ad1dc6ffcb79f1f8c15f49e6ee48a2b55218d9c628e28fc676952c4c84e4abfba0db341391d844

    • SSDEEP

      3072:rDJP/dU+27P52zUp5A9ORQR6uUu7qTTFjycsDFvY4PjBi:5Hda52f4RQAuU9Tdcjg

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks