General

  • Target

    f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364

  • Size

    231KB

  • Sample

    231121-fkycracd88

  • MD5

    c960d953cd6db802cdd90faebe88c756

  • SHA1

    014d7e29c36f8ba13d0a4a61c172f162a043b748

  • SHA256

    f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364

  • SHA512

    320ec08d441d42027a285acd2338f03dba061199625712f1cffca31bbd40892e15504ab1a286dbba467e2754b8e03f64265a34ab01a7f31e180d3d2e14565f39

  • SSDEEP

    6144:Z9r+JOmzUe4UM52Ly4k6UKwGnPsdlYrI:0b4UMlJfKRPs7

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364

    • Size

      231KB

    • MD5

      c960d953cd6db802cdd90faebe88c756

    • SHA1

      014d7e29c36f8ba13d0a4a61c172f162a043b748

    • SHA256

      f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364

    • SHA512

      320ec08d441d42027a285acd2338f03dba061199625712f1cffca31bbd40892e15504ab1a286dbba467e2754b8e03f64265a34ab01a7f31e180d3d2e14565f39

    • SSDEEP

      6144:Z9r+JOmzUe4UM52Ly4k6UKwGnPsdlYrI:0b4UMlJfKRPs7

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks