General

  • Target

    695c14c51ae9ff59157cf69f97b2d1cc.bin

  • Size

    158KB

  • Sample

    231121-cfw3cacb7v

  • MD5

    ca9a9666a207e990f46ad05d25358c52

  • SHA1

    87633771425e23c2f00a417cff8ebf0a4f861608

  • SHA256

    b086d97e03a2b2c371790b7407849084e5bca70002b82f20fbbad27c532f7c37

  • SHA512

    df77bea5e9b80e95400575397fab4f6d7d4d4e3cbf7c0df57cd26961f69dd83d6d3d2a7df23fc8fb9824e46cf2f5304aa870e342d39242b0fe2a0ec25e60039e

  • SSDEEP

    3072:cLikEKbj9LaGMf4GnzWf31BiAymSSnSkNnsEkp+CUaugfCF/PEEVRzFGt:cLbjaGM5MiAyGSrEkpayczF2

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe

    • Size

      265KB

    • MD5

      695c14c51ae9ff59157cf69f97b2d1cc

    • SHA1

      4688eea11efa5c61c7704b5ca80196eb9099e867

    • SHA256

      f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1

    • SHA512

      e43e45420544f2fd736f2427443941f1da5b8d4a74d4c9d2e0a95c8306b2f10e12beaa6b0c2ec2715ecbd66b41431f404c942c32720a8b3ee2afa640657d4688

    • SSDEEP

      3072:d6LaowspCAE+mYgDxv5l7Iek5Ym7IQoiteVFWbVD22WsgAsR6c7ovb3TQh9:SaWCAF5Cf7Iem57InitGMxycQMrT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks