Extracted

• • Target

    3df1d170c4b3e888a2fcb1b85d3b3b32_JaffaCakes118

  • Size

    10.3MB

  • MD5

    3df1d170c4b3e888a2fcb1b85d3b3b32

  • SHA1

    9be13fee01057b0a10dc141afd9f0a5f2137b986

  • SHA256

    7e2bf8eb0fd9b0d9b7c4d6ace2338eeea63c86dab7af88bafd8125d5975c1a32

  • SHA512

    793aa2a5230759cf02b6c84b01f9d278748afa9bd9666573eb6a88ec683a154967afa1efebe2c4af842bf0c82c4ec6a6546aab8921b995a4e80be4c2bceda51a

  • SSDEEP

    49152:8T81MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMw:8T8

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2