Extracted

• • Target

    JaffaCakes118_ac0b7246c66b3e4fdb6da832de6c418de78ee28e696d4bb8882031d9164cfba8

  • Size

    342KB

  • MD5

    aabe3e7233157be95fab7d9295545d76

  • SHA1

    b48ff5343235e704de19f11fbb69703cb8add3d7

  • SHA256

    ac0b7246c66b3e4fdb6da832de6c418de78ee28e696d4bb8882031d9164cfba8

  • SHA512

    2aedc5cfa0fa21c78d9e44961a40c2fb3c8503ab2e3b8dade135832e58dc72f0fdd782109a7a0d0212c77359adf7ede9caeaaf620e8c89a6bad1160bbf8d13de

  • SSDEEP

    6144:DGw0hF+kAn2aj+qBqLpklFGodlzsPSa3MDUk4B+H90C:DhhdvBqLKlFGodlzsPSaq4Bu

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2