General

  • Target

    7e9ccdf57f7fe03c9e2efd738b6490aabed53615f70a101a8c1cd008716fa6d2.zip

  • Size

    178KB

  • Sample

    231119-z4c1psbf62

  • MD5

    6799416262f0daf7e5dc92d325d64db0

  • SHA1

    c61b37a17a8bc7ced0461d6d7513cc5a5e677d0c

  • SHA256

    0b866ed04f5d34f0a63f79ca6061db85425cb41d6b9d37a4ce9a0a890a4d865d

  • SHA512

    1d995f3f55b305b13c22cf77f1afc4a7c8214f9079758e6e2a2f9690376f09add65ecf17149506a12ab715faaa3e592f7359445d98cd520c359d92235e6556e3

  • SSDEEP

    3072:MucMuNELO9A6gVvFIN3x8fBHvbt0sNOXidYGScAX:XLCdNufBPbXRWZcAX

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      7e9ccdf57f7fe03c9e2efd738b6490aabed53615f70a101a8c1cd008716fa6d2.exe

    • Size

      338KB

    • MD5

      5c5387efb7f70cd46012c6f8f4cc0e1a

    • SHA1

      c2ad2a7be652d8b73cdeb794b498c03d8f783bc4

    • SHA256

      7e9ccdf57f7fe03c9e2efd738b6490aabed53615f70a101a8c1cd008716fa6d2

    • SHA512

      bc6a38573e87fc6bc7b945ee76f5b8102e5adfa1ff6262356212a0fb66f2b4cb071193df75f05da715627d1d4c5cb2cd733f786371bf271e5ee94f88557de65d

    • SSDEEP

      3072:M9xApN8qo8I+HI0C+iUn9wYaA8MqfvJLAiT12Rerybp80C:wTqoQHIbYatRJLAiT3ry3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks