General

  • Target

    35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.zip

  • Size

    158KB

  • Sample

    231119-zj6ghscc6w

  • MD5

    a8a873d77971ef9485c4ee990d955f2a

  • SHA1

    82055a3a7fe957d51271304405665a47b6f08af9

  • SHA256

    81985822ad006b10f00e948e1aab8bc3082397353ce39059f5dd01bc08dbb157

  • SHA512

    3d06a35dcd87ce100151f67e9e28749811db66ff5ee0efb88823cf7e0710cdcaf8aa51c9db1aac2f578c44a59a8ea3d01b7d1250fde58345bf4f9e6a053ef56f

  • SSDEEP

    3072:blNPLVg4IPhn4Vx+aJ/4ihf01OGnjKmbWR+tYfn5WqV2RPs1vh8:bTZNJo8gi6NnjBWRkY/5KsQ

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe

    • Size

      274KB

    • MD5

      59e1227450eb946f0eb83fad2f72b1f5

    • SHA1

      b78400bfe2fb0dbe892b1dff5220a7de2c43dfc6

    • SHA256

      35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652

    • SHA512

      19fd57f8a026cd2cc64f4d8ac99538b9d90f9a33a3d70c2061131ea5094a53fa0c4bf23a6adaf51d06bdd799236860311cb4f67e7503ac43259461aedfeda1c2

    • SSDEEP

      3072:QlnO9lcF4LS5ZUsBHS9R071uEcR647ovb3Trh6e:UnXKL+By9R0ooMMrT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks