Extracted

• • Target

    JaffaCakes118_d05b590cc81b113ed63fe88a4c29fbc5

  • Size

    13.9MB

  • MD5

    d05b590cc81b113ed63fe88a4c29fbc5

  • SHA1

    45f68c0c125657b701357e9b16700e3914bf0567

  • SHA256

    14d2c60424d078e0d5900a44f2cf81a1b22224231d20ccd91b8841bff68f9aa2

  • SHA512

    17272f0cd99f55ceb82aeba78ee4496677449a09a98460e619e8c699195d51f2bfd039dfb2c3f5b25b23031da79529fac3b017fbf46cafbcff6bfb0443bd105e

  • SSDEEP

    393216:BMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMs:BMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMs

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2