General

  • Target

    d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30

  • Size

    160KB

  • Sample

    231106-p1n9fscg77

  • MD5

    af6dcb7c00f3fbd62c781f48e9222d1f

  • SHA1

    8be7b4c4eeb7e8ee2097ccf6e4c6d945e22aeb57

  • SHA256

    e5e58683c4bb0d2c8ff4246401ab427fe7313661c6b9aeb9a93e7be4da4f66c5

  • SHA512

    de723c7d675aab5edbedb078d73bfb249034bbf28e4a94a1e9c2712c6f7670c671ab3543b7b393f8d3a3e589c5dc71636198b9e7a45df1579252b92cef09e5fb

  • SSDEEP

    3072:OxakXePiPcI8Xih7M83a4IRKeGaxLKLDrOrKW7stu6oUButotxmC2nh8cs:1+3PcbCMiERtGnL2rKWxU8yd2nhzs

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30

    • Size

      254KB

    • MD5

      ccfb3ad139d84573e8083854eec1b59d

    • SHA1

      f1993c2870e9d3216e74683a9c4e2c77c255f4b2

    • SHA256

      d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30

    • SHA512

      6e153b8dc4e35d6e1fbb037fb7a9b30efda1a40aa51633bb00d794eb109d303a931add77eb2d5f43da963ec7583be1ff5d9b1d0699815be53083d2105398fed6

    • SSDEEP

      6144:QRI7tWsLnf64lyPtVyaL2rK8Zbz33pnMjHp:mds764ytVyaC2Ov3iH

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks