Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0e08a8c26a77da196821460666ddddd117ea759ccc532b1ca754f865dfb79481

  • Size

    310KB

  • Sample

    221219-mv3tjshh41

  • MD5

    21e9f5759b59294dde63937c71428508

  • SHA1

    7c2e270b0adb5c51d7854e7e3dfcfa3b11b0b700

  • SHA256

    0e08a8c26a77da196821460666ddddd117ea759ccc532b1ca754f865dfb79481

  • SHA512

    4eda1b69bdac6e368d3b908e22a84ce585905c82956a0a68d5f4f5cc0edc65025ec4bed369f8490aab100f82e3aceb1f72acb306fe13cd32cece8f5bfc21e8eb

  • SSDEEP

    3072:I+5gRTLkYdO2eeByDf0agH8IhIFA1hkN0flvLAphFWqWvcb+H4rOPHFRuUrIb6uh:5gRTLkPFBYhMOkNADi+H4rWlRjO1n

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      0e08a8c26a77da196821460666ddddd117ea759ccc532b1ca754f865dfb79481

    • Size

      310KB

    • MD5

      21e9f5759b59294dde63937c71428508

    • SHA1

      7c2e270b0adb5c51d7854e7e3dfcfa3b11b0b700

    • SHA256

      0e08a8c26a77da196821460666ddddd117ea759ccc532b1ca754f865dfb79481

    • SHA512

      4eda1b69bdac6e368d3b908e22a84ce585905c82956a0a68d5f4f5cc0edc65025ec4bed369f8490aab100f82e3aceb1f72acb306fe13cd32cece8f5bfc21e8eb

    • SSDEEP

      3072:I+5gRTLkYdO2eeByDf0agH8IhIFA1hkN0flvLAphFWqWvcb+H4rOPHFRuUrIb6uh:5gRTLkPFBYhMOkNADi+H4rWlRjO1n

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks