Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f1beba92cf4e4e9ec752111dd7aec6ae601d433a3e29be8a10f8da5c4b5f70f9

  • Size

    297KB

  • Sample

    221227-t99zqsad9y

  • MD5

    5ce137b77c0ae2a228aea8d34e92d733

  • SHA1

    8df33b79f10b6c3d8318268d7c2642b4c2909708

  • SHA256

    f1beba92cf4e4e9ec752111dd7aec6ae601d433a3e29be8a10f8da5c4b5f70f9

  • SHA512

    9d229ab543ab6021276c0bea4455701bd0b2068db607549ab8c75021345247bf8b067e2573a506da3273b8f196c5cda5c2a6b2dcd2ede005ef69cfa92fc11eca

  • SSDEEP

    6144:ea1YLNQoI1soZhr5xLfnMwiv58xQ3xDPkMo5zXbAc:r1YpQwoX5xzvQ58xaxDPyrbA

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      f1beba92cf4e4e9ec752111dd7aec6ae601d433a3e29be8a10f8da5c4b5f70f9

    • Size

      297KB

    • MD5

      5ce137b77c0ae2a228aea8d34e92d733

    • SHA1

      8df33b79f10b6c3d8318268d7c2642b4c2909708

    • SHA256

      f1beba92cf4e4e9ec752111dd7aec6ae601d433a3e29be8a10f8da5c4b5f70f9

    • SHA512

      9d229ab543ab6021276c0bea4455701bd0b2068db607549ab8c75021345247bf8b067e2573a506da3273b8f196c5cda5c2a6b2dcd2ede005ef69cfa92fc11eca

    • SSDEEP

      6144:ea1YLNQoI1soZhr5xLfnMwiv58xQ3xDPkMo5zXbAc:r1YpQwoX5xzvQ58xaxDPyrbA

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks