General

  • Target

    file.exe

  • Size

    201KB

  • Sample

    231120-rnzwjahd3w

  • MD5

    7c93c2206fd0de07383e0e1ea048f37a

  • SHA1

    235cf088388dca511944495eff7eceed0d12aa20

  • SHA256

    bb34a64365015b36edbc8a0f3a5c7a3646c6d1b0330e5e47b4afcb340adf05d4

  • SHA512

    5e04e2985ab07ebe658e6f20bab85aa17cdf4132960425c874bd8c31d7fdc7489a975ef1369cd0ce59ebe699b5cd5c8b433a069f0f0c4867ad8376680b0c90f6

  • SSDEEP

    3072:6Hd3HQ9ewY9mwOGgTOSp6nwSbpbAuYrvGhKs+lZ9WoXxp:a2ed9m/GNSpGwebAuYyh8Z

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      201KB

    • MD5

      7c93c2206fd0de07383e0e1ea048f37a

    • SHA1

      235cf088388dca511944495eff7eceed0d12aa20

    • SHA256

      bb34a64365015b36edbc8a0f3a5c7a3646c6d1b0330e5e47b4afcb340adf05d4

    • SHA512

      5e04e2985ab07ebe658e6f20bab85aa17cdf4132960425c874bd8c31d7fdc7489a975ef1369cd0ce59ebe699b5cd5c8b433a069f0f0c4867ad8376680b0c90f6

    • SSDEEP

      3072:6Hd3HQ9ewY9mwOGgTOSp6nwSbpbAuYrvGhKs+lZ9WoXxp:a2ed9m/GNSpGwebAuYyh8Z

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks