General

  • Target

    file

  • Size

    305KB

  • Sample

    230206-j16wlsga7z

  • MD5

    852de13db9455fd69afb25152d2bc190

  • SHA1

    6b4e8bf22a0b1ff29ad78177ffcfe6bfdc732987

  • SHA256

    ab513af96685a9154f2aed67e27d314bcc569e5189afd4cbadf8c2756aeffbd0

  • SHA512

    45d61be5a6dfba3f0208d4eb9aca17de4b4c95cbe518117230b65d88d59c83eef3c8852a4e4931ccbcf14996afc8f5e4bc3c85db17faceba1eabe19091f6f298

  • SSDEEP

    3072:8NGbtUZOLxKgai4DRqJapHyj/KCL2cXLFHKPC9sxA76ov3XpCYoMRKT:0tOLggaVIJBX/Xuk6oh

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      file

    • Size

      305KB

    • MD5

      852de13db9455fd69afb25152d2bc190

    • SHA1

      6b4e8bf22a0b1ff29ad78177ffcfe6bfdc732987

    • SHA256

      ab513af96685a9154f2aed67e27d314bcc569e5189afd4cbadf8c2756aeffbd0

    • SHA512

      45d61be5a6dfba3f0208d4eb9aca17de4b4c95cbe518117230b65d88d59c83eef3c8852a4e4931ccbcf14996afc8f5e4bc3c85db17faceba1eabe19091f6f298

    • SSDEEP

      3072:8NGbtUZOLxKgai4DRqJapHyj/KCL2cXLFHKPC9sxA76ov3XpCYoMRKT:0tOLggaVIJBX/Xuk6oh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks