General

  • Target

    file

  • Size

    237KB

  • Sample

    230503-y12n8aac5x

  • MD5

    5f22cf2b4084eeb86e75a33e469f8618

  • SHA1

    dcae74f903c5bf5ea85d20ff674ebc747eda60dd

  • SHA256

    650b125ce1f1646d33549681d7a1cfc8846f01a94d96d7cf1654cb1499442828

  • SHA512

    2fde1c85438e3e52cbc95def2e245b131dee2f5b8953d872f12adbbfcba835f467b43b482fe26b61d4d7d36615a7271412b5fc646f5b8c0a3cca709b1581a642

  • SSDEEP

    3072:DBGOKty9CLpLgdVLKNIFMae2nsvmPo+kysBmK:NBDgtLgzLoahnseEysZ

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      237KB

    • MD5

      5f22cf2b4084eeb86e75a33e469f8618

    • SHA1

      dcae74f903c5bf5ea85d20ff674ebc747eda60dd

    • SHA256

      650b125ce1f1646d33549681d7a1cfc8846f01a94d96d7cf1654cb1499442828

    • SHA512

      2fde1c85438e3e52cbc95def2e245b131dee2f5b8953d872f12adbbfcba835f467b43b482fe26b61d4d7d36615a7271412b5fc646f5b8c0a3cca709b1581a642

    • SSDEEP

      3072:DBGOKty9CLpLgdVLKNIFMae2nsvmPo+kysBmK:NBDgtLgzLoahnseEysZ

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks