General

  • Target

    file

  • Size

    351KB

  • Sample

    230415-g1x8cseg7y

  • MD5

    876b7460308a741fe65c515f7ef86e14

  • SHA1

    c20b6df8bf9d01feb2926f51b8a565c978856007

  • SHA256

    6ce85f091b761bc59a20e6054f1dfee3cb9836f7ec51a38deff54cd57913b60c

  • SHA512

    6e08b81a4b4f1bafedb2245f9722e3362fd37a56ebd363b4a1f82a526dca9d1587c67f548c4a2ebb6876a2ad42c4144d89acc40af19ff60201454e67599ae5bc

  • SSDEEP

    6144:m9cO+BKw+rc1tSFd1jCoLnhZsc7VbOTi:m9cfBXEc1tSFmyn3scFp

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      351KB

    • MD5

      876b7460308a741fe65c515f7ef86e14

    • SHA1

      c20b6df8bf9d01feb2926f51b8a565c978856007

    • SHA256

      6ce85f091b761bc59a20e6054f1dfee3cb9836f7ec51a38deff54cd57913b60c

    • SHA512

      6e08b81a4b4f1bafedb2245f9722e3362fd37a56ebd363b4a1f82a526dca9d1587c67f548c4a2ebb6876a2ad42c4144d89acc40af19ff60201454e67599ae5bc

    • SSDEEP

      6144:m9cO+BKw+rc1tSFd1jCoLnhZsc7VbOTi:m9cfBXEc1tSFmyn3scFp

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks