General

  • Target

    NEAS.a4dee314bf550ed83a5be294c6acbea200fb4665c684ae5f842c29ba3233e307exe_JC.exe

  • Size

    291KB

  • Sample

    231026-x3cbnseh5w

  • MD5

    306b52b0288f8636b145c12e1594b4d5

  • SHA1

    3b11ac9361a3ab7ab9cc4729c8cb0392a0d8fdaa

  • SHA256

    a4dee314bf550ed83a5be294c6acbea200fb4665c684ae5f842c29ba3233e307

  • SHA512

    2b1911749d49ce8155289707baf1560f0a817cacd8f0136acc97b86abfa8fc9ee3b548d4817a10973fcc71991f5280028e3e8e3f0c91ac45932c64057b03dcc5

  • SSDEEP

    6144:KVHVEqQqdL7N9FX0FcOcmy46B5ihS4pe5:KoHqdPHFfOcHr/So

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.a4dee314bf550ed83a5be294c6acbea200fb4665c684ae5f842c29ba3233e307exe_JC.exe

    • Size

      291KB

    • MD5

      306b52b0288f8636b145c12e1594b4d5

    • SHA1

      3b11ac9361a3ab7ab9cc4729c8cb0392a0d8fdaa

    • SHA256

      a4dee314bf550ed83a5be294c6acbea200fb4665c684ae5f842c29ba3233e307

    • SHA512

      2b1911749d49ce8155289707baf1560f0a817cacd8f0136acc97b86abfa8fc9ee3b548d4817a10973fcc71991f5280028e3e8e3f0c91ac45932c64057b03dcc5

    • SSDEEP

      6144:KVHVEqQqdL7N9FX0FcOcmy46B5ihS4pe5:KoHqdPHFfOcHr/So

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks