General

  • Target

    bdbc9a21226ffd243b4290d5de4ebba3c5b1194947f8efb9333dead323e0ffe7

  • Size

    144KB

  • Sample

    231106-pqz8zaba4t

  • MD5

    6d1323fe69deb17a70657b69f4647100

  • SHA1

    439bf772a1d9463e9231d1b6c2abb3e4434d8ec7

  • SHA256

    419e5ee67d2a76944252f631d0d2967c2416e0d13c24689142c689d481d249bc

  • SHA512

    5d8123eb94a3231a6d301acb7d71d4bc41ea9de71b6da2e033d74174c8dc0b9f02adce7f6047a8fa1554828a02f4aac579bad7ebf491e0efac185f07a8b7f3b5

  • SSDEEP

    3072:q9HwJ6M18S9TKm3dtSUSATI93tJxepkzsOkesZtT3:MHwJ7KStxNSATW3bxenjXT3

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      bdbc9a21226ffd243b4290d5de4ebba3c5b1194947f8efb9333dead323e0ffe7

    • Size

      222KB

    • MD5

      07b00cf95a65d716cbf9b6737a3d97bd

    • SHA1

      c0bcd4ca653be184ad011e295df02d999046fb8c

    • SHA256

      bdbc9a21226ffd243b4290d5de4ebba3c5b1194947f8efb9333dead323e0ffe7

    • SHA512

      4178cfac6bde459cae55e48b24ca11117cc31f9d4061bb5f6e57ea9ed17122b4e1dc3da92bad7c1d7bda0ef556dcc653a77da2994da5186f934ac8cf0b6b0493

    • SSDEEP

      3072:3WMfCVLL/mQCnan+CIVkCUSATI93tJkgrNo5RPeplVP:3Bf8LLKc+CIqdSATW3b7Nget

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks