General

  • Target

    file

  • Size

    280KB

  • Sample

    230528-w89cxsgf4t

  • MD5

    64526d68799a4eed9997e2eafd9bc48d

  • SHA1

    7a9625ad83508cc4691184c3c72fc720010700fe

  • SHA256

    4ed68097ee23816012547d4fc6348f28add26227747de46f0fdd424511097419

  • SHA512

    d8eb6e0b9ae7ff74623e3d9e778e45766a6627cbe163626355a69353ed65f4b53d89ce3cef4e28c78f24cf71994ff3ac5e428ccff40b157d94790b5243d70482

  • SSDEEP

    3072:NLkcmKcLP+pizokfgcPnhKekR9WoB085Tmw3VyuQ:hkc0PgikkRng3Jly/

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      280KB

    • MD5

      64526d68799a4eed9997e2eafd9bc48d

    • SHA1

      7a9625ad83508cc4691184c3c72fc720010700fe

    • SHA256

      4ed68097ee23816012547d4fc6348f28add26227747de46f0fdd424511097419

    • SHA512

      d8eb6e0b9ae7ff74623e3d9e778e45766a6627cbe163626355a69353ed65f4b53d89ce3cef4e28c78f24cf71994ff3ac5e428ccff40b157d94790b5243d70482

    • SSDEEP

      3072:NLkcmKcLP+pizokfgcPnhKekR9WoB085Tmw3VyuQ:hkc0PgikkRng3Jly/

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks