General

  • Target

    NEAS.b5c77ef0d3c5416d17802b6c03b8767655c5d17e578917b2c9f7dfeb2e8a5c83exe_JC.exe

  • Size

    291KB

  • Sample

    231026-yaef1agf29

  • MD5

    74ed445fa5bbe3469506eff509d86dab

  • SHA1

    c486f2818f28c8e9ac0a952dd6bf1eb3b66a5d5f

  • SHA256

    b5c77ef0d3c5416d17802b6c03b8767655c5d17e578917b2c9f7dfeb2e8a5c83

  • SHA512

    cf475dcfe26a1c8c8210f82bb6d192ce1437327a54ed6394a3270358f78f7c81593cf6401eae78359a97291b3590dab5ef069cbcd17a5d66eacaf6bafe77b3fb

  • SSDEEP

    3072:xVXUcOVlQoLKKL7NJK6p3QD2KGQ+KBt3RJrRi5qp27UE5Mmj5qe6hsjsQ9ibK:bhOVlQUnL7N86pA19lhpMTWde

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.b5c77ef0d3c5416d17802b6c03b8767655c5d17e578917b2c9f7dfeb2e8a5c83exe_JC.exe

    • Size

      291KB

    • MD5

      74ed445fa5bbe3469506eff509d86dab

    • SHA1

      c486f2818f28c8e9ac0a952dd6bf1eb3b66a5d5f

    • SHA256

      b5c77ef0d3c5416d17802b6c03b8767655c5d17e578917b2c9f7dfeb2e8a5c83

    • SHA512

      cf475dcfe26a1c8c8210f82bb6d192ce1437327a54ed6394a3270358f78f7c81593cf6401eae78359a97291b3590dab5ef069cbcd17a5d66eacaf6bafe77b3fb

    • SSDEEP

      3072:xVXUcOVlQoLKKL7NJK6p3QD2KGQ+KBt3RJrRi5qp27UE5Mmj5qe6hsjsQ9ibK:bhOVlQUnL7N86pA19lhpMTWde

    • Detected phishing page

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks