General

  • Target

    NEAS.5daad654cfb6234d5ae8ffe89963c842a3e7ee0868e9c8fcf8496a3506e69b78exe_JC.exe

  • Size

    263KB

  • Sample

    231026-xbfvsafh24

  • MD5

    a1e80422354746adaffaad06cf99bc36

  • SHA1

    60770bb3feada234aa1dd99b90153da89b94ebf3

  • SHA256

    5daad654cfb6234d5ae8ffe89963c842a3e7ee0868e9c8fcf8496a3506e69b78

  • SHA512

    ee6fff0daac66b2da2ea99e46a7a0e9fd82d36f1a02df9481c40f6651a09a7c1311760b20a69c6d2a044332aa26623884373ea0ec81a08a33a9dd8c102f61648

  • SSDEEP

    3072:knVXKKRXsq8CBNELCdf4KOUF5r+PqNyLAsrgLnlCaZYUBKoPQhp33C5GT9PfEQG4:CKWXsmBiLCt4uLr+PxynlOUBtPwT5f

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.5daad654cfb6234d5ae8ffe89963c842a3e7ee0868e9c8fcf8496a3506e69b78exe_JC.exe

    • Size

      263KB

    • MD5

      a1e80422354746adaffaad06cf99bc36

    • SHA1

      60770bb3feada234aa1dd99b90153da89b94ebf3

    • SHA256

      5daad654cfb6234d5ae8ffe89963c842a3e7ee0868e9c8fcf8496a3506e69b78

    • SHA512

      ee6fff0daac66b2da2ea99e46a7a0e9fd82d36f1a02df9481c40f6651a09a7c1311760b20a69c6d2a044332aa26623884373ea0ec81a08a33a9dd8c102f61648

    • SSDEEP

      3072:knVXKKRXsq8CBNELCdf4KOUF5r+PqNyLAsrgLnlCaZYUBKoPQhp33C5GT9PfEQG4:CKWXsmBiLCt4uLr+PxynlOUBtPwT5f

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks