General

  • Target

    NEAS.2db4b7ad0746a2423a4d71da5b6ec8b8efe14366d92d5f87f90fa867656dee2fexe_JC.exe

  • Size

    265KB

  • Sample

    231026-wyka2sfe55

  • MD5

    45803e5734013f3e280310660072d4fb

  • SHA1

    5c2d77811eb0fdc2fc0cc9da7131765b9a9d6ccc

  • SHA256

    2db4b7ad0746a2423a4d71da5b6ec8b8efe14366d92d5f87f90fa867656dee2f

  • SHA512

    7feedfe470ed7e78c459734a9b0921a69b4c83dd7de2d2260a1020e106c44d4fee48ec8b90a0e7a01130653aeb0ac8d267cc497c0443087a64af2bcbf3b3b21d

  • SSDEEP

    3072:2sXLLViObJLO9Dpqs4XzM9lOp7LCHI3lwQ4fVUxfhuC9+QoZ5G2F5QoQb:PLLViWJLO1zczM9lOpSHILcV8N9+Ay

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.2db4b7ad0746a2423a4d71da5b6ec8b8efe14366d92d5f87f90fa867656dee2fexe_JC.exe

    • Size

      265KB

    • MD5

      45803e5734013f3e280310660072d4fb

    • SHA1

      5c2d77811eb0fdc2fc0cc9da7131765b9a9d6ccc

    • SHA256

      2db4b7ad0746a2423a4d71da5b6ec8b8efe14366d92d5f87f90fa867656dee2f

    • SHA512

      7feedfe470ed7e78c459734a9b0921a69b4c83dd7de2d2260a1020e106c44d4fee48ec8b90a0e7a01130653aeb0ac8d267cc497c0443087a64af2bcbf3b3b21d

    • SSDEEP

      3072:2sXLLViObJLO9Dpqs4XzM9lOp7LCHI3lwQ4fVUxfhuC9+QoZ5G2F5QoQb:PLLViWJLO1zczM9lOpSHILcV8N9+Ay

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks