Overview
overview
10Static
static
3FiveM-Spoo...in.zip
windows7-x64
1FiveM-Spoo...in.zip
windows10-2004-x64
1FiveM-Spoo...ss.exe
windows7-x64
3FiveM-Spoo...ss.exe
windows10-2004-x64
10FiveM-Spoo...ss.sln
windows7-x64
3FiveM-Spoo...ss.sln
windows10-2004-x64
3FiveM-Spoo...DME.md
windows7-x64
3FiveM-Spoo...DME.md
windows10-2004-x64
3FiveM-Spoo...on.hpp
windows7-x64
3FiveM-Spoo...on.hpp
windows10-2004-x64
3FiveM-Spoo...rk.cpp
windows7-x64
3FiveM-Spoo...rk.cpp
windows10-2004-x64
3FiveM-Spoo...rk.hpp
windows7-x64
3FiveM-Spoo...rk.hpp
windows10-2004-x64
3FiveM-Spoo...ce.cpp
windows7-x64
3FiveM-Spoo...ce.cpp
windows10-2004-x64
3FiveM-Spoo...ce.hpp
windows7-x64
3FiveM-Spoo...ce.hpp
windows10-2004-x64
3FiveM-Spoo...in.cpp
windows7-x64
3FiveM-Spoo...in.cpp
windows10-2004-x64
3FiveM-Spoo...ck.xml
windows7-x64
1FiveM-Spoo...ck.xml
windows10-2004-x64
1FiveM-Spoo...ilters
windows7-x64
3FiveM-Spoo...ilters
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
FiveM-Spoofer-main.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FiveM-Spoofer-main.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
FiveM-Spoofer-main/CFXBypass.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
FiveM-Spoofer-main/CFXBypass.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
FiveM-Spoofer-main/CFXBypass.sln
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
FiveM-Spoofer-main/CFXBypass.sln
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
FiveM-Spoofer-main/README.md
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
FiveM-Spoofer-main/README.md
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FiveM-Spoofer-main/main/common.hpp
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FiveM-Spoofer-main/main/common.hpp
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
FiveM-Spoofer-main/main/core/network.cpp
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
FiveM-Spoofer-main/main/core/network.cpp
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
FiveM-Spoofer-main/main/core/network.hpp
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
FiveM-Spoofer-main/main/core/network.hpp
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
FiveM-Spoofer-main/main/core/trace.cpp
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
FiveM-Spoofer-main/main/core/trace.cpp
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
FiveM-Spoofer-main/main/core/trace.hpp
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
FiveM-Spoofer-main/main/core/trace.hpp
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
FiveM-Spoofer-main/main/main.cpp
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
FiveM-Spoofer-main/main/main.cpp
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
FiveM-Spoofer-main/main/smallcock.xml
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
FiveM-Spoofer-main/main/smallcock.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
FiveM-Spoofer-main/main/smallcock.vcxproj.filters
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
FiveM-Spoofer-main/main/smallcock.vcxproj.filters
Resource
win10v2004-20240508-en
General
-
Target
FiveM-Spoofer-main/CFXBypass.sln
-
Size
1KB
-
MD5
e1690af0ae70b5a72be890b21cd494fe
-
SHA1
426cc25d2c8844cf4a9036c24fe6860dc3309bcb
-
SHA256
643897a48a22c67db958b9fe4bc24f1fb1df45da7772714dbe74c27c39c50528
-
SHA512
57decccfe5f8ab15296942615de515a5c04eb1d78c6a964289f2d6ea6f13f658080c7bc79b607ea6b330a29ec5d84938d25acb208cdd9253718630a05aa338ac
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sln rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sln\ = "sln_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe 2612 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2180 wrote to memory of 2068 2180 cmd.exe rundll32.exe PID 2180 wrote to memory of 2068 2180 cmd.exe rundll32.exe PID 2180 wrote to memory of 2068 2180 cmd.exe rundll32.exe PID 2068 wrote to memory of 2612 2068 rundll32.exe AcroRd32.exe PID 2068 wrote to memory of 2612 2068 rundll32.exe AcroRd32.exe PID 2068 wrote to memory of 2612 2068 rundll32.exe AcroRd32.exe PID 2068 wrote to memory of 2612 2068 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FiveM-Spoofer-main\CFXBypass.sln1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FiveM-Spoofer-main\CFXBypass.sln2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FiveM-Spoofer-main\CFXBypass.sln"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD546e4818b81da78eafa2655e9ab12873e
SHA1e5f76f4428b6fc1417a7dd20c4eb8a58fd1d225f
SHA256a5c46015db0eb3ac399fb5a0fa3463c035a73aaf1dbbba80ea7d8cf20fef6cd4
SHA51204ee4e2b9299f44170b951444ba8c14e898c5f321a2333a9fcc2622558a98188efc841cf7b11d2558aa8eeb1f619b8db519f84d3a35782ea269e889c60b1f48c