Extracted

• • Target

    JaffaCakes118_9244e2f59d0654663f6d0bca90be9a12b84a44251f3454e79e950a4e65943887

  • Size

    179KB

  • MD5

    091abd4eddf1fce2d33a6b066453e4c9

  • SHA1

    de05a70e3dca3ce6a0b64cb6adca073248302840

  • SHA256

    9244e2f59d0654663f6d0bca90be9a12b84a44251f3454e79e950a4e65943887

  • SHA512

    4406692d65a81517a19d14cf082ebe9f40bf41dbf43d3c4ae44efc4eff46f1580ebfee0e43c1fe52bad36a9fae2f2d32f2bf004b81ae051a82f42ebf7f5c9971

  • SSDEEP

    3072:l744SpmfTOqHTO8nYzvoI+6+gNU22HNgesS5nXm:MmfTO0Vn0oxXga2QudmX

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2