Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    95d21658c0eaee20c7d5c482dfc9f3bd303fd0bd715dbd29431a6b28b067e673

  • Size

    312KB

  • Sample

    230106-pfd8rafh94

  • MD5

    1482dbb2e2ac294bd4aeb9323c50f313

  • SHA1

    4854e0885e770317e1a960a8348ecfc20f1aca68

  • SHA256

    95d21658c0eaee20c7d5c482dfc9f3bd303fd0bd715dbd29431a6b28b067e673

  • SHA512

    f89c17e3b0e150f5005ac9e083e43fabf40f5177cb0b4f0f6a00b29ab3530193fc828201a692bd52a28ad1c9c701f7519978c82b9d7e1877c4dbd3978604a8f1

  • SSDEEP

    6144:F8L/1dMmyoZS5DQ3xvFse91dWKQvv6or:F8r1dHX/3xv+e9bbto

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      95d21658c0eaee20c7d5c482dfc9f3bd303fd0bd715dbd29431a6b28b067e673

    • Size

      312KB

    • MD5

      1482dbb2e2ac294bd4aeb9323c50f313

    • SHA1

      4854e0885e770317e1a960a8348ecfc20f1aca68

    • SHA256

      95d21658c0eaee20c7d5c482dfc9f3bd303fd0bd715dbd29431a6b28b067e673

    • SHA512

      f89c17e3b0e150f5005ac9e083e43fabf40f5177cb0b4f0f6a00b29ab3530193fc828201a692bd52a28ad1c9c701f7519978c82b9d7e1877c4dbd3978604a8f1

    • SSDEEP

      6144:F8L/1dMmyoZS5DQ3xvFse91dWKQvv6or:F8r1dHX/3xv+e9bbto

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks