Extracted

• • Target

    JaffaCakes118_30f34e11d0cc3ea3aaa86bf43fcc1f93d3bd0b7bfb101b6c4b4180217261874c

  • Size

    164KB

  • MD5

    2bb1fbbbed9cc4fadfa75a080379f3fb

  • SHA1

    32c784d175b2c892686d79ef500b3d6a7e286dc9

  • SHA256

    30f34e11d0cc3ea3aaa86bf43fcc1f93d3bd0b7bfb101b6c4b4180217261874c

  • SHA512

    35a409fe79641ad6deeab7176785fb0db9393250fb20f971de0e8ece15dbf20bb36e5593a4b9da0ca1c6c893193aa1a0f160f40c27205dbbbe4dc8bd77d3f409

  • SSDEEP

    3072:nhqXElKGK4Pm2B32eXAH57V3OUQuhS9H6S:ns0l9NXXK7hEa

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2