Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4ce2353420b3fef9a268a018a0b8bb5d4389bd7ff288c1168af812dd81b2d54a.zip

  • Size

    128KB

  • Sample

    230308-njfejsfe21

  • MD5

    13bbf02907e83492ed385386d5074f03

  • SHA1

    4569102d544c03401440cecbf976a9292e5c43dc

  • SHA256

    cd17f61eb09451df8bfb022ba0580944c45ef5f096a8a16fd733b47293af3bee

  • SHA512

    7a88bc27e836e4e5baa40b01085ae6e5b5d48c31df935857333c2f33bffabf89038b3a119d0df8d92d34f7294c66db8b1c6bad08e2be13e31cad83bf804bce2d

  • SSDEEP

    3072:0rQvI+Jywd/+jjTKEsYbw0cVTbc/3PwIe8T4Q5KV:MQvIjwEjsWwjTAPw7tV

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      4ce2353420b3fef9a268a018a0b8bb5d4389bd7ff288c1168af812dd81b2d54a.exe

    • Size

      192KB

    • MD5

      941c2c7de7a78108baf55e9a9c80db7a

    • SHA1

      02d1c8e2027be98a452e2bc6c8e4f4359e114443

    • SHA256

      4ce2353420b3fef9a268a018a0b8bb5d4389bd7ff288c1168af812dd81b2d54a

    • SHA512

      2b0102f34315eb971d4ed7fa2ba60ccc0afdb1ebdea3548de2b91763d5b105cad984dad06b12a5c28ea36144dbd81071d69fb3833259a04763c8b398d0984ea7

    • SSDEEP

      3072:A0Uyh0vf5cSHc/onUnPJaBOkSSgH+wIygCd8ZXQm25k5gFaJc3EB:Zph03LHc/yUPh4ogCigk5gj

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks