General

  • Target

    3c75d33a1ff03643f809e83d374e7fcad2fb35e7f92fe1d7b1a48787fcc6c29d

  • Size

    146KB

  • Sample

    221129-wclxraec9t

  • MD5

    0310f2c1c5f82d3eefa5a49edb9debc3

  • SHA1

    c5bb5b5c1b1ffbb5656b8839e3c88a8fdba2b1b7

  • SHA256

    3c75d33a1ff03643f809e83d374e7fcad2fb35e7f92fe1d7b1a48787fcc6c29d

  • SHA512

    edf03f6ffd056c4892889d46c3311fb3cfa688697000e57e723c33e383543cdfbb1e801989d95db3c68575d9059aee6a14c0c5837389b9dfa23863d282cd14bc

  • SSDEEP

    3072:xbDRuVOoqhN6y5aqJXkqsDmQrzDBgc72AL99jmlOI62FQ:jugHhN8qx6mNu9sv62K

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      3c75d33a1ff03643f809e83d374e7fcad2fb35e7f92fe1d7b1a48787fcc6c29d

    • Size

      146KB

    • MD5

      0310f2c1c5f82d3eefa5a49edb9debc3

    • SHA1

      c5bb5b5c1b1ffbb5656b8839e3c88a8fdba2b1b7

    • SHA256

      3c75d33a1ff03643f809e83d374e7fcad2fb35e7f92fe1d7b1a48787fcc6c29d

    • SHA512

      edf03f6ffd056c4892889d46c3311fb3cfa688697000e57e723c33e383543cdfbb1e801989d95db3c68575d9059aee6a14c0c5837389b9dfa23863d282cd14bc

    • SSDEEP

      3072:xbDRuVOoqhN6y5aqJXkqsDmQrzDBgc72AL99jmlOI62FQ:jugHhN8qx6mNu9sv62K

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks