General

  • Target

    21c38ebbea03aa2ddce570a40ebcbf10217b80b9dde4924ce7119fb13d260edb.zip

  • Size

    177KB

  • Sample

    231119-zj6ghscc6v

  • MD5

    52957212ff776243bdc5dae07e9e96b0

  • SHA1

    b50819efa88c78afc6e47543a4a6760dc2d4766f

  • SHA256

    c80549857b8ac1da07cce436c800c5ed276c9d2e06052bee96c4857b36be3dc1

  • SHA512

    9620887b25e9819f96789b70e0d829ddbb87325ad1e876a218d69095f4adf2bee667a6b70832be1e30d6f4153d0a8294b9a845897764011bdb33ac62c9715cdf

  • SSDEEP

    3072:BdLdFXZMtNa/iA0w6vdac5rdDLGCMI6hNtdrcbm3RhGAvqmmb9Co:BpytNHc0daIVZMp9tcbmhhGAR09b

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      21c38ebbea03aa2ddce570a40ebcbf10217b80b9dde4924ce7119fb13d260edb.exe

    • Size

      329KB

    • MD5

      c5acf32a68fc55104b5dafc61245bab4

    • SHA1

      8a1d49efbb20a987cd87d227c4c4016a36c76afb

    • SHA256

      21c38ebbea03aa2ddce570a40ebcbf10217b80b9dde4924ce7119fb13d260edb

    • SHA512

      8bc262803139c0420b71ffea63e772124446349d913bb194646c22f0d4dca0cd04d3a3108032c2f31618f482e86fbfa0aa4de63d7c53fcd03dcc438763970808

    • SSDEEP

      3072:y9xdm7sMhs6Y28qryW6A4bdZc4nJcJW+XkmwVWf4rEVjSHwZROr4bpLkC:yIths6Y28ehy5nJcU6QrEVjWlr4a

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks