General

  • Target

    NEAS.72778b0c3fa5487016091d2fa18a6c606241c6637afa122a9614007a32ac8cd5exe_JC.exe

  • Size

    263KB

  • Sample

    231026-xh5sgsga34

  • MD5

    3b968158da7a1e64ed03bcab2b284d20

  • SHA1

    7699288fe01925934612e18a22aef258d93ad967

  • SHA256

    72778b0c3fa5487016091d2fa18a6c606241c6637afa122a9614007a32ac8cd5

  • SHA512

    0f7baf9eb9502c9e5d3576bbd7adaa6186078a034a737aa572f977a5de62b3645e8a88b4fe2f94e2d5fbc19b4a1a1d2540f27835a8a640967e25e1c38d7b22b8

  • SSDEEP

    3072:NsXUTl69SAxLtNW6wBaBccK8/UXWup/p4hzzc0m5R/Rh2Eh5mmOQGib:Ggl61xLXW/BanKUMWup/p03c0cJRUt

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.72778b0c3fa5487016091d2fa18a6c606241c6637afa122a9614007a32ac8cd5exe_JC.exe

    • Size

      263KB

    • MD5

      3b968158da7a1e64ed03bcab2b284d20

    • SHA1

      7699288fe01925934612e18a22aef258d93ad967

    • SHA256

      72778b0c3fa5487016091d2fa18a6c606241c6637afa122a9614007a32ac8cd5

    • SHA512

      0f7baf9eb9502c9e5d3576bbd7adaa6186078a034a737aa572f977a5de62b3645e8a88b4fe2f94e2d5fbc19b4a1a1d2540f27835a8a640967e25e1c38d7b22b8

    • SSDEEP

      3072:NsXUTl69SAxLtNW6wBaBccK8/UXWup/p4hzzc0m5R/Rh2Eh5mmOQGib:Ggl61xLXW/BanKUMWup/p03c0cJRUt

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks