Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    file

  • Size

    243KB

  • Sample

    231116-sra71scf64

  • MD5

    d39ec227c7bd7e552236e85ef9affe1f

  • SHA1

    dd9fb2666eb04c758acd511d6938ca57b1738ecd

  • SHA256

    d674db737db03ced531fb0e180ebfb256c0d142bedadd3dd06bf665aedc9a3c0

  • SHA512

    d9d16dee213ca0e97d5fdb4a8a1e80ca1ff2196b22025538cf0425e9d20caae8a351f201b572e538ff6fc486889f6a05fb3ae8aeb0d3dd8ebcd14b1b40e4069f

  • SSDEEP

    3072:nl4mLVY01t2mguV4u8OnW+Xx366Pw+4Rm/lBKsikL3:PLVY037guVR8xe364/AA3

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      243KB

    • MD5

      d39ec227c7bd7e552236e85ef9affe1f

    • SHA1

      dd9fb2666eb04c758acd511d6938ca57b1738ecd

    • SHA256

      d674db737db03ced531fb0e180ebfb256c0d142bedadd3dd06bf665aedc9a3c0

    • SHA512

      d9d16dee213ca0e97d5fdb4a8a1e80ca1ff2196b22025538cf0425e9d20caae8a351f201b572e538ff6fc486889f6a05fb3ae8aeb0d3dd8ebcd14b1b40e4069f

    • SSDEEP

      3072:nl4mLVY01t2mguV4u8OnW+Xx366Pw+4Rm/lBKsikL3:PLVY037guVR8xe364/AA3

    Score
    10/10
    tofseexmrigevasionminerpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks