Analysis
-
max time kernel
30s -
max time network
26s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
BackdoorWin32Farfli.BG!MTB.zip
Resource
win11-20240426-en
General
-
Target
Backdoor.Win32.Farfli.BG!MTB.exe
-
Size
3.0MB
-
MD5
f8d5d84914ea87463cb8efbf49a74f55
-
SHA1
9613d02bc94648af72b9b69be6250479164a48a2
-
SHA256
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b
-
SHA512
b43efbf1d722d51ff1cc78086b3a91817ab2d2c0adcb8f37b01aabc679c8310207c890b7e36fd58096de7465cc3ef44fe0140495c129f6ada946bdc50fb27662
-
SSDEEP
49152:6QZAdVyVT9n/Gg0P+WhoCsTKyoZ/Pjb6Kt0rbJEuSLz5xXA:jGdVyVT9nOgmh/sTKlZ6K+mLzA
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3044-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3044-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3044-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2412-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2412-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2412-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2412-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4236-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4236-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4236-46-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/3044-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3044-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3044-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2412-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2412-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat C:\Windows\SysWOW64\240616375.txt family_gh0strat behavioral2/memory/2412-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2412-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4236-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4236-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4236-46-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
svchos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240616375.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
Processes:
svchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_Backdoor.Win32.Farfli.BG!MTB.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exepid process 3044 svchost.exe 2412 TXPlatforn.exe 4528 svchos.exe 4236 TXPlatforn.exe 3632 HD_Backdoor.Win32.Farfli.BG!MTB.exe 4640 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 3 IoCs
Processes:
svchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exepid process 4528 svchos.exe 2296 svchost.exe 4640 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Processes:
resource yara_rule behavioral2/memory/3044-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3044-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3044-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3044-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4236-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4236-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4236-46-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
HD_Backdoor.Win32.Farfli.BG!MTB.exedescription ioc process File opened for modification \??\PhysicalDrive0 HD_Backdoor.Win32.Farfli.BG!MTB.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchos.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\240616375.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 5 IoCs
Processes:
Backdoor.Win32.Farfli.BG!MTB.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Backdoor.Win32.Farfli.BG!MTB.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Backdoor.Win32.Farfli.BG!MTB.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Backdoor.Win32.Farfli.BG!MTB.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Backdoor.Win32.Farfli.BG!MTB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Backdoor.Win32.Farfli.BG!MTB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
Processes:
HD_Backdoor.Win32.Farfli.BG!MTB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\command\ = "\\JDeskTray.exe --from=rmenu" HD_Backdoor.Win32.Farfli.BG!MTB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\command\ = "\\DeskAide64.exe --from=rmenu --mirrorPath=\"%1\"" HD_Backdoor.Win32.Farfli.BG!MTB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\Icon = "\\Utils\\Install.ico" HD_Backdoor.Win32.Farfli.BG!MTB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\Position = "Top" HD_Backdoor.Win32.Farfli.BG!MTB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\整理桌面\command HD_Backdoor.Win32.Farfli.BG!MTB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk HD_Backdoor.Win32.Farfli.BG!MTB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\ = "映射该文件夹到桌面" HD_Backdoor.Win32.Farfli.BG!MTB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\Icon = "\\Utils\\mirror.ico" HD_Backdoor.Win32.Farfli.BG!MTB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\command HD_Backdoor.Win32.Farfli.BG!MTB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\整理桌面 HD_Backdoor.Win32.Farfli.BG!MTB.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Backdoor.Win32.Farfli.BG!MTB.exeHD_Backdoor.Win32.Farfli.BG!MTB.exepid process 1340 Backdoor.Win32.Farfli.BG!MTB.exe 1340 Backdoor.Win32.Farfli.BG!MTB.exe 3632 HD_Backdoor.Win32.Farfli.BG!MTB.exe 3632 HD_Backdoor.Win32.Farfli.BG!MTB.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 4236 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 3044 svchost.exe Token: SeLoadDriverPrivilege 4236 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Backdoor.Win32.Farfli.BG!MTB.exepid process 1340 Backdoor.Win32.Farfli.BG!MTB.exe 1340 Backdoor.Win32.Farfli.BG!MTB.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Backdoor.Win32.Farfli.BG!MTB.exesvchost.exeTXPlatforn.execmd.exesvchost.exedescription pid process target process PID 1340 wrote to memory of 3044 1340 Backdoor.Win32.Farfli.BG!MTB.exe svchost.exe PID 1340 wrote to memory of 3044 1340 Backdoor.Win32.Farfli.BG!MTB.exe svchost.exe PID 1340 wrote to memory of 3044 1340 Backdoor.Win32.Farfli.BG!MTB.exe svchost.exe PID 3044 wrote to memory of 3912 3044 svchost.exe cmd.exe PID 3044 wrote to memory of 3912 3044 svchost.exe cmd.exe PID 3044 wrote to memory of 3912 3044 svchost.exe cmd.exe PID 1340 wrote to memory of 4528 1340 Backdoor.Win32.Farfli.BG!MTB.exe svchos.exe PID 1340 wrote to memory of 4528 1340 Backdoor.Win32.Farfli.BG!MTB.exe svchos.exe PID 1340 wrote to memory of 4528 1340 Backdoor.Win32.Farfli.BG!MTB.exe svchos.exe PID 2412 wrote to memory of 4236 2412 TXPlatforn.exe TXPlatforn.exe PID 2412 wrote to memory of 4236 2412 TXPlatforn.exe TXPlatforn.exe PID 2412 wrote to memory of 4236 2412 TXPlatforn.exe TXPlatforn.exe PID 3912 wrote to memory of 4776 3912 cmd.exe PING.EXE PID 3912 wrote to memory of 4776 3912 cmd.exe PING.EXE PID 3912 wrote to memory of 4776 3912 cmd.exe PING.EXE PID 1340 wrote to memory of 3632 1340 Backdoor.Win32.Farfli.BG!MTB.exe HD_Backdoor.Win32.Farfli.BG!MTB.exe PID 1340 wrote to memory of 3632 1340 Backdoor.Win32.Farfli.BG!MTB.exe HD_Backdoor.Win32.Farfli.BG!MTB.exe PID 1340 wrote to memory of 3632 1340 Backdoor.Win32.Farfli.BG!MTB.exe HD_Backdoor.Win32.Farfli.BG!MTB.exe PID 2296 wrote to memory of 4640 2296 svchost.exe Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe PID 2296 wrote to memory of 4640 2296 svchost.exe Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe PID 2296 wrote to memory of 4640 2296 svchost.exe Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Farfli.BG!MTB.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Farfli.BG!MTB.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\HD_Backdoor.Win32.Farfli.BG!MTB.exeC:\Users\Admin\AppData\Local\Temp\HD_Backdoor.Win32.Farfli.BG!MTB.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240616375.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_Backdoor.Win32.Farfli.BG!MTB.exeFilesize
1.3MB
MD50180d6e451c4b289bcc4d8be163bd9ad
SHA13f288c137b7d142db11180d2822fe680fdfe85fd
SHA2561a9b3c81a7598f942e9c030bd452bac5a97c7ca528e5f575442a55cf836f02ef
SHA5128fa31cc994b598e2f555341a3b8942d99fee92c9b10f955f9ff13c1a4ab8adec126a9d5fd8103d703171d532725a72ca91cc788dd22d3e77d6e7ab7e54e2ab4c
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.7MB
MD552250986e17600054933532922dd92f4
SHA1919f0ba79e00f62903bad25420898b104121119d
SHA25656100ecfdacc8d3354cfe80c3e68db4eabf9e582189ac6a3c7a8fffaf245188f
SHA512eb85b98c3f20c1a225acaa7265ba6148146a23da0b73b3e5a0aeb5057a13f24187e3c48f38743cf8c9a294aff48e79318c982e3539189970f2adaac334a4193d
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeFilesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
C:\Windows\SysWOW64\240616375.txtFilesize
50KB
MD527268699e8b4d12d949b7a4a64883b0d
SHA1c6b8159603640c87995996db1eea69f6b94a93fd
SHA256247c183e72b7a241e1ad1d9f680fa29bd4b128d63132809e64e28dbdd0d7d2f9
SHA512ea5e40ecb2e0d78b109cbfba3d5625a106927585e8fae03189100179fb288ecd611de3070af25b77aff6788d16855593f75482d876ce2432fae442cd4b6d8788
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeFilesize
40KB
MD522bb5bd901d8b25ac5b41edbb7d5053e
SHA18a935dd8d7e104fc553ff7e8b54a404f7b079334
SHA2568dcaeeebef9b9f3d41d295db145ffb3850f309d089c08125c7fa7034db5fd80e
SHA512cc3fb68fd6791a08e4a7d1a8db8d07cfcc8c9b9dceec10b53f0cb7ee86473303a19be4f23e379f84c59e02d0568e7c066e21cd1300f6032dac4ba52f609f62e7
-
memory/2412-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2412-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2412-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2412-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2412-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3044-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3044-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3044-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3044-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4236-33-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4236-36-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4236-46-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB