Extracted

• • Target

    d7bce7dc29f9c05fba85e2922583c0cd_JaffaCakes118

  • Size

    114KB

  • MD5

    d7bce7dc29f9c05fba85e2922583c0cd

  • SHA1

    95a82ccfdad81f093dd63a4e64b6449ec518db23

  • SHA256

    387aed56da6bf8cc2a2be6be910747e14380408689ef011227b4bec12fb1ecb2

  • SHA512

    21a51f566b342fb41a38b8f1aa4ab081159ee51ee7fe6bdea6c4d93ca8c374509e3db35ff2c5d0641d6e5202a70a4dc4c8045585d3f0a4f31a3d497d148bca8a

  • SSDEEP

    3072:oYltF2ixWmZLprvw5EL0WHRVUlvw3ypP5:dltwKDvwEZxilvn

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2