Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f89ec97419729707a888b93f307fdb1ca8d18f5133bb1282134f253b208bed05

  • Size

    264KB

  • Sample

    220912-xlmq3sdhe3

  • MD5

    b03fe2e354d4741264b6fb4e25955911

  • SHA1

    e5cc6f38a64ae6e6dd89cba5705b6e587b241cea

  • SHA256

    f89ec97419729707a888b93f307fdb1ca8d18f5133bb1282134f253b208bed05

  • SHA512

    b00e2de1cf34abbb849cd0fa8510afb2a6c05bc55e83fa6cc290308a3fd6d70100103732fc5c0ecce8a7281f8d53ac9af7bb54d3d1165fa895bac64ded65b5af

  • SSDEEP

    6144:4a4XyaiKA+RVP3yVvz+UI7SMtVlFu7z/XySeCetjHgfTy:98fZAK93yVvSUI7SMtVKfy

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      f89ec97419729707a888b93f307fdb1ca8d18f5133bb1282134f253b208bed05

    • Size

      264KB

    • MD5

      b03fe2e354d4741264b6fb4e25955911

    • SHA1

      e5cc6f38a64ae6e6dd89cba5705b6e587b241cea

    • SHA256

      f89ec97419729707a888b93f307fdb1ca8d18f5133bb1282134f253b208bed05

    • SHA512

      b00e2de1cf34abbb849cd0fa8510afb2a6c05bc55e83fa6cc290308a3fd6d70100103732fc5c0ecce8a7281f8d53ac9af7bb54d3d1165fa895bac64ded65b5af

    • SSDEEP

      6144:4a4XyaiKA+RVP3yVvz+UI7SMtVlFu7z/XySeCetjHgfTy:98fZAK93yVvSUI7SMtVKfy

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks