General

  • Target

    7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip

  • Size

    164KB

  • Sample

    231119-zh3n8scb91

  • MD5

    fa3a3e958817e5d9b90a8580395f972f

  • SHA1

    7a673916fff9a435d9ffc9721e0678057be48b48

  • SHA256

    187ac7008c17b951e0d2cbfef73407e938c2e78008ea4d59a534496f067104c4

  • SHA512

    75fe8ad9a73b72c0dc8729d09c55de486b00c4e3a218b2c6522c7ce06b90d2783023228f2ccf637b02ae7186776721b1dcea1cccbc2e4bc0d7f5a00ffc3406f4

  • SSDEEP

    3072:AnvZhNZfhFXIEE0kUtMhl7oWNZIbRSx4iZZhKIrvzWIM2J46vPK93h:AvZd7XIEE0kJ3kWNZIlS2WFvCipQ3h

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe

    • Size

      254KB

    • MD5

      02ac11d7691ed7141949fc5c03d5aae8

    • SHA1

      b122e23b4dfb29d4efedbbe7a72c75d696f8a7ac

    • SHA256

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee

    • SHA512

      c437f0cec3cbe5a62a650cafd0814016864c083a2df5a65000d0411b8249daec0744b7c948039a97848135a263ba183a9cb00876fbc3d22ee1e8322dfda0e55e

    • SSDEEP

      3072:M9xGAh803FPqB1HzqotaoQpxVKPk4hjw6EX7eUkpvTRSdnbr4rO/p/4CY/:w/8iYlAxVKMuELrdnbr4yG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks