General

  • Target

    NEAS.19ff214fd7feb452a76b299e36831705cc3cc11c3d5deb6ff4a9df6138aacd4cexe_JC.exe

  • Size

    285KB

  • Sample

    231026-wq8nnsdg4v

  • MD5

    1694977bcb788f91d08d563e65e1b6a8

  • SHA1

    b43b878f52e93dcac435e012db85d5151b55f4f6

  • SHA256

    19ff214fd7feb452a76b299e36831705cc3cc11c3d5deb6ff4a9df6138aacd4c

  • SHA512

    95f504cbb5906ca0fa0511e1627a175586cad92d7aab55724b1483d6886ebbe6cac735cf06f2e9650fc5c5ae6c3813c3f15ffc7edd1871fb9a683172c1f9a73d

  • SSDEEP

    3072:zVX1Sc4eOh6nD2fLpZ5W3hR8b/67c3HL+Yl4MyrBHH75aDbQkib0RC:F1Sc4b6D2fLb5zbL3HL+YazBk

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.19ff214fd7feb452a76b299e36831705cc3cc11c3d5deb6ff4a9df6138aacd4cexe_JC.exe

    • Size

      285KB

    • MD5

      1694977bcb788f91d08d563e65e1b6a8

    • SHA1

      b43b878f52e93dcac435e012db85d5151b55f4f6

    • SHA256

      19ff214fd7feb452a76b299e36831705cc3cc11c3d5deb6ff4a9df6138aacd4c

    • SHA512

      95f504cbb5906ca0fa0511e1627a175586cad92d7aab55724b1483d6886ebbe6cac735cf06f2e9650fc5c5ae6c3813c3f15ffc7edd1871fb9a683172c1f9a73d

    • SSDEEP

      3072:zVX1Sc4eOh6nD2fLpZ5W3hR8b/67c3HL+Yl4MyrBHH75aDbQkib0RC:F1Sc4b6D2fLb5zbL3HL+YazBk

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks