General

  • Target

    yoepjxj2k.exe

  • Size

    231KB

  • Sample

    230513-2ykjpscc2s

  • MD5

    e24bde37506309010eaaa9cd16543deb

  • SHA1

    7b3184f8b36410489725fab73d8f3b699811fcdd

  • SHA256

    eb83af89295470eacddb4854fdce4d921f814ad636e70648ddd3b03295463492

  • SHA512

    13a8697c00f591bf354e8e477b0248b6668d2c5e0ea98b5b390bd6922df94a67476d9e68e017ca685d0e0d14a0bd0ab1f127476d808aefc9c06199624f8fe421

  • SSDEEP

    3072:kJqiwS9dIvHI/vMkB3ld6iV8/1F5MwmF7a19Zubmqv5NxFul5gR/8WI4Oh6Ixq:K53dEoHM43haF5MwEakhLCyR0Wy

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      yoepjxj2k.exe

    • Size

      231KB

    • MD5

      e24bde37506309010eaaa9cd16543deb

    • SHA1

      7b3184f8b36410489725fab73d8f3b699811fcdd

    • SHA256

      eb83af89295470eacddb4854fdce4d921f814ad636e70648ddd3b03295463492

    • SHA512

      13a8697c00f591bf354e8e477b0248b6668d2c5e0ea98b5b390bd6922df94a67476d9e68e017ca685d0e0d14a0bd0ab1f127476d808aefc9c06199624f8fe421

    • SSDEEP

      3072:kJqiwS9dIvHI/vMkB3ld6iV8/1F5MwmF7a19Zubmqv5NxFul5gR/8WI4Oh6Ixq:K53dEoHM43haF5MwEakhLCyR0Wy

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks