Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file

  • Size

    265KB

  • Sample

    230919-2fwh9aec97

  • MD5

    0111f41e24e80b598a7a81c179432920

  • SHA1

    46c775825a4697946c0fd4b3cd6c881f46430748

  • SHA256

    bf15d707efcb789d6433f3701a1aa66b60ef87431d889c1f71bd01304139645c

  • SHA512

    085b08339bd21c71aa9a3c2a8facdacc4345218cd41b120b16a3dd57e8625cfba5e99e9ef46d77475492887d4cd1ee2426c42b6d8b2f4cae6a8730e6316c883f

  • SSDEEP

    3072:yvXXM+XBaPDKv1lLdixovWmoqtH6v+6+waC7NABBVy+Ya:Q3BODKv3dMovWmYv+TwaC7NCVy

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      265KB

    • MD5

      0111f41e24e80b598a7a81c179432920

    • SHA1

      46c775825a4697946c0fd4b3cd6c881f46430748

    • SHA256

      bf15d707efcb789d6433f3701a1aa66b60ef87431d889c1f71bd01304139645c

    • SHA512

      085b08339bd21c71aa9a3c2a8facdacc4345218cd41b120b16a3dd57e8625cfba5e99e9ef46d77475492887d4cd1ee2426c42b6d8b2f4cae6a8730e6316c883f

    • SSDEEP

      3072:yvXXM+XBaPDKv1lLdixovWmoqtH6v+6+waC7NABBVy+Ya:Q3BODKv3dMovWmYv+TwaC7NCVy

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks