General

  • Target

    file.exe

  • Size

    230KB

  • Sample

    231121-gvavwade4z

  • MD5

    885a3c52de19c50151a51f368984d0bb

  • SHA1

    d4fd0f08aa8fb0046d47e6840c913e98d98057f4

  • SHA256

    9ad80064fcaa519e50848c0b954a53400452bf623d6153be47633388542c1559

  • SHA512

    a1c337ed8277e2fbe9132f04303f6b6d7bcb1582c2d7bef57eac4ec24a625c4b5ba4e39c62e26797e297a84ab859eb91f3dad0d3d1c618b5521b9b43957c767a

  • SSDEEP

    3072:NAAAESW3sAbwmtov1bfgMZ0GSuJMRYJtU6pCZmyzPe77a6J7HqsDzg1p:bB31wUov11xz4YJaZNPe7hJ7Ng

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      230KB

    • MD5

      885a3c52de19c50151a51f368984d0bb

    • SHA1

      d4fd0f08aa8fb0046d47e6840c913e98d98057f4

    • SHA256

      9ad80064fcaa519e50848c0b954a53400452bf623d6153be47633388542c1559

    • SHA512

      a1c337ed8277e2fbe9132f04303f6b6d7bcb1582c2d7bef57eac4ec24a625c4b5ba4e39c62e26797e297a84ab859eb91f3dad0d3d1c618b5521b9b43957c767a

    • SSDEEP

      3072:NAAAESW3sAbwmtov1bfgMZ0GSuJMRYJtU6pCZmyzPe77a6J7HqsDzg1p:bB31wUov11xz4YJaZNPe7hJ7Ng

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks