Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_9244e2f59d0654663f6d0bca90be9a12b84a44251f3454e79e950a4e65943887

  • Size

    179KB

  • Sample

    241226-tw6p6a1jdn

  • MD5

    091abd4eddf1fce2d33a6b066453e4c9

  • SHA1

    de05a70e3dca3ce6a0b64cb6adca073248302840

  • SHA256

    9244e2f59d0654663f6d0bca90be9a12b84a44251f3454e79e950a4e65943887

  • SHA512

    4406692d65a81517a19d14cf082ebe9f40bf41dbf43d3c4ae44efc4eff46f1580ebfee0e43c1fe52bad36a9fae2f2d32f2bf004b81ae051a82f42ebf7f5c9971

  • SSDEEP

    3072:l744SpmfTOqHTO8nYzvoI+6+gNU22HNgesS5nXm:MmfTO0Vn0oxXga2QudmX

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      JaffaCakes118_9244e2f59d0654663f6d0bca90be9a12b84a44251f3454e79e950a4e65943887

    • Size

      179KB

    • MD5

      091abd4eddf1fce2d33a6b066453e4c9

    • SHA1

      de05a70e3dca3ce6a0b64cb6adca073248302840

    • SHA256

      9244e2f59d0654663f6d0bca90be9a12b84a44251f3454e79e950a4e65943887

    • SHA512

      4406692d65a81517a19d14cf082ebe9f40bf41dbf43d3c4ae44efc4eff46f1580ebfee0e43c1fe52bad36a9fae2f2d32f2bf004b81ae051a82f42ebf7f5c9971

    • SSDEEP

      3072:l744SpmfTOqHTO8nYzvoI+6+gNU22HNgesS5nXm:MmfTO0Vn0oxXga2QudmX

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks