General

  • Target

    f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.zip

  • Size

    158KB

  • Sample

    231119-zj8a4scc6x

  • MD5

    727eeabe9c1b22bb5bb662750bbe13b6

  • SHA1

    ae78a1588be076c2d5eb58c6b02f7bd76fac641f

  • SHA256

    e69715f4b6a6cd782ed87ecdaf0c3ae1037d01983c084f5d47d38e9c4abe51f6

  • SHA512

    2c7deed5695ffebb63885811b0d62e4549e59ba668b094d84c22f759fabef7c99dc06acff2d803ab933b9f5ebb8a814a3d5b5b3f973bee00e3ca0f0f5bde7409

  • SSDEEP

    3072:a+X96dOC+QQo/zRQKsU8HWI1ap4Kvz5TS1L5fZZS1KOSEyIhf7sHEl91Pn:1N6n+QQEzRQKsU82MHd5s4sf7sHEljPn

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe

    • Size

      265KB

    • MD5

      695c14c51ae9ff59157cf69f97b2d1cc

    • SHA1

      4688eea11efa5c61c7704b5ca80196eb9099e867

    • SHA256

      f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1

    • SHA512

      e43e45420544f2fd736f2427443941f1da5b8d4a74d4c9d2e0a95c8306b2f10e12beaa6b0c2ec2715ecbd66b41431f404c942c32720a8b3ee2afa640657d4688

    • SSDEEP

      3072:d6LaowspCAE+mYgDxv5l7Iek5Ym7IQoiteVFWbVD22WsgAsR6c7ovb3TQh9:SaWCAF5Cf7Iem57InitGMxycQMrT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks