General

  • Target

    c42c3e82a22d4dd981b9cf1766cc01f9.bin

  • Size

    175KB

  • Sample

    231027-cwjrysdb99

  • MD5

    d6aeed497df015227aa453a008f9d776

  • SHA1

    265af47a806c4edaed6de5a66fa0f694dca1d5cf

  • SHA256

    8e949c5c44adf1d588f71b8008b70ec4491d7e74621ea35d0bf240135255a553

  • SHA512

    b60e6911f21f12d51f783359f34f1579962bf14eb550d60b03fdcc6822aef1b94ce7244b0970f624c878126d021ab3514262396f18578ab00b6e3dc2bfaa8d50

  • SSDEEP

    3072:tuoRga7OF9H/2oD5N/E+mk2XWx75XfCrKpp39q0MacRfH99h4pCHK8BTfqNwGV:Ysga7OFR/f53CWt5vEcrMacRvzh4Uq+Q

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      9252b13000a99f5e020122fd7a7108389a22e55676f4739ab73b5c08fcfea57b.exe

    • Size

      284KB

    • MD5

      c42c3e82a22d4dd981b9cf1766cc01f9

    • SHA1

      e2619e1ca9fd82151c5fda94281be42d80dfa363

    • SHA256

      9252b13000a99f5e020122fd7a7108389a22e55676f4739ab73b5c08fcfea57b

    • SHA512

      c11c5343c1bd62075983f40937942d7bf9e94b006f6cfe2a9ec46f3bfba7555d69a005e3274c86aa2f8de17703951b605aa0517398eb24af612f450962193f8c

    • SSDEEP

      3072:CCVXnHc4YObHa5o/LKtATUSQm/RvdGT7gfDVqNhR4/jQafEZB75aD/bVs7JQkibv:VnHc4Nb65o/L0Awb41Go7Vkr8EU7b0

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks