General

  • Target

    bd650f0d1cdae90e4a008e0ad214fdb8d16a549a5463d06d25d284c019b7657b

  • Size

    105KB

  • Sample

    221130-dxfx5acg25

  • MD5

    e1292699a879fe81a54646e39e84cf38

  • SHA1

    cee4a5ed5a84a1d2668de6e474c0539c47883a27

  • SHA256

    2e27c7716163ec248bd3e1e7aea8402eefd70218e1b95b32e6ac30154f2c856d

  • SHA512

    6af551eb72cce04a0c530d218f369ab58ed275794829e7d25f843b3c3d9aa4d25aba5ff35070e4ab81370f6618628e97d953df641dd1bbd1cb71dad3a793a204

  • SSDEEP

    1536:dJHwHy+8FP2Pli7Yjx1P13sMFYxgYQ+moyC3apCXGbpM4B1jI9s3Oftjiacxe:wS+8cwKv8LLpICqpF918G3IJx

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      bd650f0d1cdae90e4a008e0ad214fdb8d16a549a5463d06d25d284c019b7657b

    • Size

      147KB

    • MD5

      1b8099400f9b3df55bb4b9a6b4e0b849

    • SHA1

      9f737eeb8a5b084511a4b655cb5ace0413d2ed8b

    • SHA256

      bd650f0d1cdae90e4a008e0ad214fdb8d16a549a5463d06d25d284c019b7657b

    • SHA512

      da97e8411dc9cc7427906a427a3cd36bfcba2e6881c54764234588d6e1371339753469ddba9635366c51b58eb0314fe76235e96db011d59274cd6ca03bea9193

    • SSDEEP

      3072:rsL7PaCvJSVUn5fOkOVCvvj8n/NTWYtWmxP88xq9:gWCvJSVgOktHjufWm1E

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks