Gorillas

Trojan Win32 Tobfy M Affiliate Came across a Tobfy sample today, things was interesting so here is a post. I will skip the reversing part: im a bit bored to take 50 screenshots and go step by step about whats do the M version of Tobfy. (this winlock is very primitive and relatively easy to understand) So, lets go directly to the C&C part. French landing when loaded (buggy IP retrieving, and geoloc): � dns: 1 �� ip: 91.226.212.174 - adresse: HKKPOGMPG.POLEXT-FREEHOST.RU � dns: 1 �� ip: 91.226.212.174 - adresse: AREKOV.COM Login: Registration: News: Statistics: Checks: Links/EXE (39090a097cfbe4ab766317e5f3d74b53): Rules: Affiliate stats: (Ignore the admin account, its also made by me) Affiliate Checks: Some samples took from the server: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2214&start=10#p19581 Im a bit unaware about Tobfy but that the first time i see this one on affiliate system. download file now