General

  • Target

    file

  • Size

    234KB

  • Sample

    230516-afnpvshc3z

  • MD5

    1a0aa2a4834e1fbe2da672a2dd629c92

  • SHA1

    78f861410e03a72115005cdb54214af6189c8c4e

  • SHA256

    d5178474cc5b93e7f726ae674f20d2b3faffdc7bf6c498bac28f14e9857cc459

  • SHA512

    30bae92e12f30b621a37589bf7ce91331db6e0ea5d4b8f2ee7333e53f5cb5783cfe634b025ea8eec99561fe9137cfdd870265c64f25c41c6fd7d17ea8e945277

  • SSDEEP

    3072:Ap+d48tF8JfG1R2povLjuV6wsUx5zDIXU83h+tiS16gfN3VVEEMp3VJZ:dtz3vOVh53I98tOgF3NMplJZ

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      234KB

    • MD5

      1a0aa2a4834e1fbe2da672a2dd629c92

    • SHA1

      78f861410e03a72115005cdb54214af6189c8c4e

    • SHA256

      d5178474cc5b93e7f726ae674f20d2b3faffdc7bf6c498bac28f14e9857cc459

    • SHA512

      30bae92e12f30b621a37589bf7ce91331db6e0ea5d4b8f2ee7333e53f5cb5783cfe634b025ea8eec99561fe9137cfdd870265c64f25c41c6fd7d17ea8e945277

    • SSDEEP

      3072:Ap+d48tF8JfG1R2povLjuV6wsUx5zDIXU83h+tiS16gfN3VVEEMp3VJZ:dtz3vOVh53I98tOgF3NMplJZ

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks