Extracted

• • Target

    JaffaCakes118_92f27854fc1c33255253c9d0fedf7a8b

  • Size

    302KB

  • MD5

    92f27854fc1c33255253c9d0fedf7a8b

  • SHA1

    6888e1954ebe90a884250d182c7bd166f4e98ca0

  • SHA256

    2d6a0c56a8747c82868605e8d25db845911a79d28cb4b77196a0026ac6d95427

  • SHA512

    429671f2875f1de2bd940d6fc8aa46c958086f05c32e74f530521068f40ee6dd9b86909ad099fb3a0c9e1893a48f9a24e65a0d4ad7f57e02501b8fd7484c04c9

  • SSDEEP

    6144:UuGJxsl1+JHGaZVApoeZWK8pzMxhrgtu:40yGaZVaoe18pzigt

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2