Extracted

• • Target

    a3a63be8d8c5c049e131a86615f76b83_JaffaCakes118

  • Size

    120KB

  • MD5

    a3a63be8d8c5c049e131a86615f76b83

  • SHA1

    a1afb302b1a0a3bba5a010478c8d73fdc6c6855f

  • SHA256

    ee30f2371e37ce15b20f916a9f03d2562aa98a0dbb44ad3105c3b0f0de05dcf9

  • SHA512

    51d5c50505b6008f3e3e1459e81f3cc4914b1c4e1c771637420974a939731e83c1d68eae1bae50b0b8446cb28d6aac79ca6c253c231662b763c0a15079229beb

  • SSDEEP

    3072:J1m2XC9sVo1/Phtf4U2qJjULtTNupQyEC6pxhhfm5OcV:TMRItTNKr2f45

  Score

  10^/10

  tofseeevasionexecutionpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2