General

  • Target

    file.exe

  • Size

    200KB

  • Sample

    231120-gcvsbseg8x

  • MD5

    265a630d864756fbb82d815a9dbcdce3

  • SHA1

    27f5b008b3888f41288d5e0ac52c257f281ae19f

  • SHA256

    d30d636013a05ce0194abdd49b743ff1aa30837ae6d3f82796ca73395a3ee578

  • SHA512

    b306131753b16d28bb5471d5beff3090cff3ec8e7aa122746653a7715ac40e0c706fe7706c7dc6db09b7aaaa0f45d5988a454f04e4245f708af9691653999437

  • SSDEEP

    3072:AR+b2wAmN64IOvAdjW6g/eNmJiSBpphw9UMIFgTOqZ1XvKs:Z2pq64IsQqR/TJfphvvyb

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      200KB

    • MD5

      265a630d864756fbb82d815a9dbcdce3

    • SHA1

      27f5b008b3888f41288d5e0ac52c257f281ae19f

    • SHA256

      d30d636013a05ce0194abdd49b743ff1aa30837ae6d3f82796ca73395a3ee578

    • SHA512

      b306131753b16d28bb5471d5beff3090cff3ec8e7aa122746653a7715ac40e0c706fe7706c7dc6db09b7aaaa0f45d5988a454f04e4245f708af9691653999437

    • SSDEEP

      3072:AR+b2wAmN64IOvAdjW6g/eNmJiSBpphw9UMIFgTOqZ1XvKs:Z2pq64IsQqR/TJfphvvyb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks