General

  • Target

    3220bd6063d386c5e51b1f13aad50c6d0ac54c52f45911a30b133195ac85d1f6

  • Size

    257KB

  • Sample

    231120-fe8xasef4s

  • MD5

    815a6bc73b581777945c004fbb0df6a8

  • SHA1

    281cd70aaa223b57e91d652e03eeeeb1682e5312

  • SHA256

    3220bd6063d386c5e51b1f13aad50c6d0ac54c52f45911a30b133195ac85d1f6

  • SHA512

    f28e1db3a2eda5b77e531ddbe6c8c15a8c93b6546eddc5206bca7183bbfa3cf4bf0458dfbc6d4af18d8bc7ad2e4093d3360cc071abbb7653c8b55e885dbebefd

  • SSDEEP

    3072:zPLwx2C81Tcw2igVdotgCle3Q8dtUqo73NIktGyqPYRB2P7ovb9P4:rU8dX2igqhp8bE73nIfk2jM

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      3220bd6063d386c5e51b1f13aad50c6d0ac54c52f45911a30b133195ac85d1f6

    • Size

      257KB

    • MD5

      815a6bc73b581777945c004fbb0df6a8

    • SHA1

      281cd70aaa223b57e91d652e03eeeeb1682e5312

    • SHA256

      3220bd6063d386c5e51b1f13aad50c6d0ac54c52f45911a30b133195ac85d1f6

    • SHA512

      f28e1db3a2eda5b77e531ddbe6c8c15a8c93b6546eddc5206bca7183bbfa3cf4bf0458dfbc6d4af18d8bc7ad2e4093d3360cc071abbb7653c8b55e885dbebefd

    • SSDEEP

      3072:zPLwx2C81Tcw2igVdotgCle3Q8dtUqo73NIktGyqPYRB2P7ovb9P4:rU8dX2igqhp8bE73nIfk2jM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks