Extracted

• • Target

    JaffaCakes118_9e81805591a9493fd422934d9c29b458ee247a715c4b0ea44b659ff0f700a548

  • Size

    284KB

  • MD5

    ab514db61e4fe549e7fa5cf39e966f1f

  • SHA1

    34385b6a1930b3f3683f17f8ca03403511a8fac1

  • SHA256

    9e81805591a9493fd422934d9c29b458ee247a715c4b0ea44b659ff0f700a548

  • SHA512

    24712286888012a6dd2faa445ea901e420e1b316913cfe7b482d9fba557e308ddb48cf4aac636d90f7a8589773986ef60e9b28e420597d6ee291eb8fe13ea3f3

  • SSDEEP

    3072:1o5eiWVHGylf7j5r1/s3R94t7S8Q9S20ke957ylo5vuLkXrWFcXObIEAGWN7XsDb:i5RGdf791/sB9A7m/UBGIEAfT2

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2