Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    272KB

  • Sample

    231117-s9bw9sbf2z

  • MD5

    76c98648f11970e09c160ae0224cb9f2

  • SHA1

    a1c7aa09a9ea241d69b8d378b98b64a7132b8929

  • SHA256

    de3cdc934393a5e4065690686ff7042e51f89efbcd15ca4df1f08dfcca8622f1

  • SHA512

    5e967565241c8d18f79e145e73df6050b480de31f40188d2cd70bd6a9d178c4fa93fcc1696ed7342bcf90b34a4a11168bd8a3852c626e97d636e0b60d03615ab

  • SSDEEP

    3072:yks08uYWLa6HVkluiY+BGzF88GK5ydpRsIgtCT6RsVip39iVR:DvTYivSxYTWXKypVipM

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      272KB

    • MD5

      76c98648f11970e09c160ae0224cb9f2

    • SHA1

      a1c7aa09a9ea241d69b8d378b98b64a7132b8929

    • SHA256

      de3cdc934393a5e4065690686ff7042e51f89efbcd15ca4df1f08dfcca8622f1

    • SHA512

      5e967565241c8d18f79e145e73df6050b480de31f40188d2cd70bd6a9d178c4fa93fcc1696ed7342bcf90b34a4a11168bd8a3852c626e97d636e0b60d03615ab

    • SSDEEP

      3072:yks08uYWLa6HVkluiY+BGzF88GK5ydpRsIgtCT6RsVip39iVR:DvTYivSxYTWXKypVipM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks