Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
67a4c57e1141be6c84787dad422d19dd0193b0ecf5d7771c496b128226420ee7_JC.exe
-
Size
242KB
-
Sample
231011-kb854sbc2x
-
MD5
d7397119dbb60e42850f5db8c0d3cc16
-
SHA1
e9aade2f2c626f3d3b2252c3de72c63ef53b2c2f
-
SHA256
67a4c57e1141be6c84787dad422d19dd0193b0ecf5d7771c496b128226420ee7
-
SHA512
5e90b23cc1dd4c1388a3985e97cfe73c2d2e4f143f3a244e3c447b08b10a1ac1f29c37c6283d8aa1e42bbb026baa93f24e6f87a943818d9feb4c311c20ff095e
-
SSDEEP
3072:fWC+t9BtK2qqscMrhAtzkPK8BZ3R0m/2PmOo9dBn5cp281TWO:fJMTK+szrhAxB+ZOme6Qp91Tj
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
67a4c57e1141be6c84787dad422d19dd0193b0ecf5d7771c496b128226420ee7_JC.exe
-
Size
242KB
-
MD5
d7397119dbb60e42850f5db8c0d3cc16
-
SHA1
e9aade2f2c626f3d3b2252c3de72c63ef53b2c2f
-
SHA256
67a4c57e1141be6c84787dad422d19dd0193b0ecf5d7771c496b128226420ee7
-
SHA512
5e90b23cc1dd4c1388a3985e97cfe73c2d2e4f143f3a244e3c447b08b10a1ac1f29c37c6283d8aa1e42bbb026baa93f24e6f87a943818d9feb4c311c20ff095e
-
SSDEEP
3072:fWC+t9BtK2qqscMrhAtzkPK8BZ3R0m/2PmOo9dBn5cp281TWO:fJMTK+szrhAxB+ZOme6Qp91Tj
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2