Extracted

• • Target

    JaffaCakes118_4d9b3eaae7f591289d07eb6df10c78b68ad583b011ece723d4aaa669e19d8e58

  • Size

    286KB

  • MD5

    30f334034890bf4e9978e88c3a8d289e

  • SHA1

    c01f11ade66a776369c5e661ade581f5141f7e53

  • SHA256

    4d9b3eaae7f591289d07eb6df10c78b68ad583b011ece723d4aaa669e19d8e58

  • SHA512

    b3278c0ffca87a27d3bc80743a80b830cf94d88bee4791e21d1a0d9f31d719593e993ca897e86cb0d2b9262745bad7a5db04feab3ec2ad0de5640131863fc774

  • SSDEEP

    3072:FFVyYf0kx6mLP1mrJpQ6mld1JCHyOzoLOS7XuWVOO5Z8jVw7DWk7MW+CJUBU4wuj:7Smz1UJ50JCHyU0XGUZiVOCYBJh4b

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2