General

  • Target

    f784390bef1610437897b0044be3a495e58de9cef5de77d9f45f5b3a5defe5fe

  • Size

    144KB

  • Sample

    231106-pagrpaah6s

  • MD5

    cbbbf2b308abd96413d3895c8fbffa2e

  • SHA1

    2e85b1a4bd4d565050e8ea6caa5cb1e716e658a6

  • SHA256

    c7c399bb7aecede99d2e8d59770002f35b85f5481077129d686e21449feaf92c

  • SHA512

    ba381f90161188324720d30f81c404b67c0a7b0c3981297467b801a70a0d65412b2219889ee404bee2000e3a6b536dcd04f69c45209ca933ab0e7a0e349becce

  • SSDEEP

    3072:Y/eTTGsSyV1BB0BYSZHuP5AzqArCpdPJa9CZo2Y07L7V2Bs1QqQ05xtIW:ie/GsSyV1/0y2HuuzqAepdJa92o2Y0fJ

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      f784390bef1610437897b0044be3a495e58de9cef5de77d9f45f5b3a5defe5fe

    • Size

      221KB

    • MD5

      2488d90434caafc7d576e6e16220a772

    • SHA1

      9f72377d8cc4e561ae6172460df94b8d0f87ed9e

    • SHA256

      f784390bef1610437897b0044be3a495e58de9cef5de77d9f45f5b3a5defe5fe

    • SHA512

      5ee948f1eeb8ba21cda44d781b616f96957b6f7a1951b0a4dfe6c7c881ae28d243722cf751209efa8e1e274fe392b0956ea1423ec6ed1efb7880b87e44aa5e18

    • SSDEEP

      3072:WHMfCYL/+qeVAeW5XNFJarDAJ98I2a9CZo2Y07LPd0RPGnllVP:WsfbLQIF00JWla92o2Y0foGnR

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks