General

  • Target

    NEAS.98c2ff26ab1bc639c2f1600d6127245b719dbfe619c784a9458b826d5aeeda4bexe_JC.exe

  • Size

    177KB

  • Sample

    231026-xt7ffseg4s

  • MD5

    eae908014d26f7bb01be3cee895aefae

  • SHA1

    8adb13166e6a3b71d9c37cb93da538ac85abc566

  • SHA256

    98c2ff26ab1bc639c2f1600d6127245b719dbfe619c784a9458b826d5aeeda4b

  • SHA512

    f177b9d43b15bdca1ccd4b1cf57e01811a5e33fe2798ecde47d9fb4f1b491dd8c653685b1f6e140359179f2b9ff24e113466f00eb9d2c474b3e135c616c00356

  • SSDEEP

    3072:fHBN7RcV0uol0USX6Nw0WxyOufOeszXfzQZH64X+T6Uxs:pHgf+0USX6Nw0rXNszXfzQZRX+T

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.98c2ff26ab1bc639c2f1600d6127245b719dbfe619c784a9458b826d5aeeda4bexe_JC.exe

    • Size

      177KB

    • MD5

      eae908014d26f7bb01be3cee895aefae

    • SHA1

      8adb13166e6a3b71d9c37cb93da538ac85abc566

    • SHA256

      98c2ff26ab1bc639c2f1600d6127245b719dbfe619c784a9458b826d5aeeda4b

    • SHA512

      f177b9d43b15bdca1ccd4b1cf57e01811a5e33fe2798ecde47d9fb4f1b491dd8c653685b1f6e140359179f2b9ff24e113466f00eb9d2c474b3e135c616c00356

    • SSDEEP

      3072:fHBN7RcV0uol0USX6Nw0WxyOufOeszXfzQZH64X+T6Uxs:pHgf+0USX6Nw0rXNszXfzQZRX+T

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks