General

  • Target

    file.exe

  • Size

    278KB

  • Sample

    231121-mz4awadh38

  • MD5

    8ade7222dfa2cf56b4f469e4a346cb5c

  • SHA1

    1803834fb17b2a2f579491054d64b61ff6f921d1

  • SHA256

    b1ae2a5d3d178736bfccf1226d311505a0e704ab81854aa606947f2c36f793b2

  • SHA512

    f7fd4c277b443ffeda8536fe29c69f300ea3958cad0b6cf8cd3f238924121cdbdffad8d4bfbdd0619a45b86001734f6e3238cec1149715d873d7c3ebb5a0f0ed

  • SSDEEP

    3072:5cA+vjwiKuPGViDPvY+nv/Uli06Ny47RTZO1iA9d3QyarHU/5LcbzD:M7wIPsice/Uli06Nn/YWwM

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      278KB

    • MD5

      8ade7222dfa2cf56b4f469e4a346cb5c

    • SHA1

      1803834fb17b2a2f579491054d64b61ff6f921d1

    • SHA256

      b1ae2a5d3d178736bfccf1226d311505a0e704ab81854aa606947f2c36f793b2

    • SHA512

      f7fd4c277b443ffeda8536fe29c69f300ea3958cad0b6cf8cd3f238924121cdbdffad8d4bfbdd0619a45b86001734f6e3238cec1149715d873d7c3ebb5a0f0ed

    • SSDEEP

      3072:5cA+vjwiKuPGViDPvY+nv/Uli06Ny47RTZO1iA9d3QyarHU/5LcbzD:M7wIPsice/Uli06Nn/YWwM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks