{
	"id": "20f30504-aeab-4200-8bbb-7c218206a776",
	"created_at": "2026-04-10T03:22:12.303532Z",
	"updated_at": "2026-04-10T13:12:16.582381Z",
	"deleted_at": null,
	"sha1_hash": "34a05c8ccdb6658c87806ba185a7335b2f01ae22",
	"title": "Malware Discovered – SFG: Furtim Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 694977,
	"plain_text": "Malware Discovered – SFG: Furtim Malware Analysis\r\nBy Joseph Landry\r\nPublished: 2016-07-12 · Archived: 2026-04-10 03:08:55 UTC\r\nBy Joseph Landry and Udi Shamir\r\nUpdate, 14-July: There have been a number of stories published since the posting of this blog that have suggested this\r\nattack is specifically targeting SCADA energy management systems. We want to emphasize that we do not have any\r\nevidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution\r\nor target.\r\nThe Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one\r\nenergy company. Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and\r\nsophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state\r\nsponsored initiative, potentially originating in Eastern Europe.\r\nThe malware is most likely a dropper tool being used to gain access to carefully targeted network users, which is then used\r\neither to introduce the payload, which could either work to extract data or insert the malware to potentially shut down an\r\nenergy grid. The exploit affects all versions of Microsoft Windows and has been developed to bypass traditional antivirus\r\nsolutions, next-generation firewalls, and even more recent endpoint solutions that use sandboxing techniques to detect\r\nadvanced malware. (biometric readers are non-relevant to the bypass / detection techniques, the malware will stop executing\r\nif it detects the presence of specific biometric vendor software).\r\nWe believe the malware was released in May of this year and is still active. It exhibits traits seen in previous nation-state\r\nRootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable\r\nresources.\r\nWe validated this malware campaign against SentinelOne and confirmed the steps outlined below were detected by our\r\nDynamic Behavior Tracking (DBT) engine.\r\nMalware Synopsis\r\nThis sample was written in a manner to evade static and behavioral detection. Many anti-sandboxing techniques are utilized.\r\nAnalysts relying solely on sandbox solutions may miss the full functionality of the sample.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 1 of 17\n\nUpdate: JoeSandbox contacted us and said their sandbox will run this sample.\r\nTwo known exploits (CVE-2014-4113 and CVE-2015-1701) were found in the sample, as well as one UAC bypass.\r\nThe sample appears to be targeting facilities that not only have software security in place, but physical security as well.\r\nZKTeco (http://www.zkteco.com/) is a global manufacturer of access control systems including facial recognition,\r\nfingerprint scanners, and RFID. If the sample is run on a workstation with ZKTeco’s ZKAccess software installed, the\r\nprocess will prematurely terminate. These systems would be heavily scrutinized by their administrators, and an infection on\r\none of these machines would likely not go unnoticed.\r\nTwo hard coded MAC addresses are checked for by the sample. A MAC address is unique 6-byte number that is burned into\r\nthe chips of all network cards. The sample will prematurely terminate if the machine it is running on has one of these two\r\nMAC addresses.\r\nUse of low-level API ( Nt* and Rtl* ) and direct system calls ( INT 2Eh  and  CALL ntdll!KiFastSystemCall )\r\nwere used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the\r\nauthor. Many of these low-level APIs and system calls are undocumented/under-documented and can change between\r\ndifferent versions of Windows. To gain an understanding of these functions, one has to be familiar with the Windows Driver\r\nDevelopment Kit (DDK), and also reverse-engineered portions of the Windows operating system.\r\nThe use of indirect subroutine calls make manual static analysis nearly impossible, and manual dynamic analysis painful and\r\nslow. The author took special care to keep this sample undetected for as long as possible.\r\nThe main goal of the sample analyzed is to run its final payload after silently removing a number of antivirus products.\r\nOverview of Execution\r\nThe sample starts by rigorously checking its environment. If in a sandbox or under manual inspection by an analyst, the\r\nsample will prematurely terminate. If the sample finds specific antivirus software installed, it will carefully enable and\r\ndisable specific functionality to evade behavioral detection.\r\nIn many situations, the sample will distance itself from malicious behaviors by\r\ninvoking cmd.exe to do its dirty work. For example, modifying sensitive registry values are done by invoking cmd.exe /c\r\nreg.exe …. Unfortunately for this sample, SentinelOne tracks the full context of processes to determine the root cause of\r\nmalicious behavior.\r\nZKAccess\r\nFrom this point on, the sample’s goal is to remove any antivirus software before running its final payload. To accomplish\r\nthis goal, the sample must be run as administrator. Two known local privilege escalation exploits are included in the sample\r\n(CVE-2014- 4113 and CVE-2015-1701), as well as one UAC bypass, which are used to acquire administrator access. As a\r\nlast resort, the sample will use a UAC prompt to try and elevate itself to administrator. Once the sample is running as\r\nadministrator, it will add the current user to the local Administrator group, allowing it to maintain administrator access in the\r\nfuture.\r\nThe sample now writes its Native Application binary to disk. Unlike regular application code, this binary can only link\r\nto  ntdll.dll . It will run at a point in the boot-up process where some Windows subsystems are not yet initialized, and\r\ntherefore can not call into normal dlls like  kernel32.dll  and  user32.dll . This Native Application is hidden in an NTFS\r\nAlternative Data Stream (ADS) at the path  C:\\Windows\\Temp:1 . By using ADS, the file will not be visible by normal file\r\nbrowsers, like  explorer.exe . The Native Application is registered to run on boot-up altering the\r\nvalues  SetupExecute  and  BootExecute  in the registry key  HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session\r\nManager\\\\ .\r\nTo ensure the success of the Native Application, the sample will remove all filter drivers from running after reboot by\r\nremoving their associated registry entries. Filter drivers are use by anti-virus software to intercept file and network access to\r\nrun static detection on the contents of the traffic. These drivers are loaded early in the boot process, and could interfere with\r\nthe execution of the Native Application.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 2 of 17\n\nThe system is now forced to reboot, allowing the Native Application to run. The Native Application also has similar checks\r\nto tell if it is running in a sandbox, and will terminate prematurely when one is detected.\r\nThe Native Application’s goal is to remove any anti-virus software that is installed on the system and drop its final payload.\r\nBy running during the boot process, and after the preperation that was done in the previous stage, the Native Application has\r\nfull control over the system. Removing any anti-virus is trivial at this point because the anti-virus software is not running.\r\nThe Native Binary writes the final payload of the sample to disk under the filename  rdpinst.exe  and registers it to be run\r\nlater in the boot process by creating a registry value\r\nin \\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce .\r\nArchitecture\r\nThere is one large structure that is allocated on the heap. This structure contains mostly function pointers to external libraries\r\nand internal function pointers. This creates a problem for static analysis. There are many indirect calls (e.g. CALL EAX)\r\nobscuring the program flow for static analysis. This structure is passed as the first parameter to almost every function in the\r\nbinary.\r\nA large chunk of the .data region is encrypted using RC4. This encrypted region contains the string literals for the sample,\r\ncreating another problem for static analysis and static detection. Before the process is terminated, this region is re-encrypted,\r\npossibly to deter an analyst from recovering the unencrypted contents by using memory dumps.\r\nIncluded in this encrypted region are three binary blobs that are also encrypted and compressed: final payload, a Windows\r\nNative API application; A DLL with a UAC bypass; and a 64-bit executable an exploit for CVE-2014-4113.\r\nReversing Techniques Used\r\nTo reverse the main sample, I developed a python script to patch out the blacklist and NOP out some test code. By placing a\r\nbreakpoint on the function that gets called to prematurely terminate the process, we were able to identify checks that failed\r\nby inspecting the return address on the call stack.\r\nZeroing out the relocation size in the PE Data Directory also made jumping between IDA and OllyDBG easier because the\r\nbase address of the executable was not randomized.\r\nNoting the destination address of indirect jumps in IDA comments made reviewing after debugging much simpler.\r\nTo debug the Native Application binary, I patched the PE Optional Header field  Subsystem  field from 1 to 2. This changed\r\nthe subsystem used by the binary from  Native  to  WindowsGUI . This will let the binary run after bootup is finished, instead\r\nof getting this error message:\r\ndouble clicking on the Native Application\r\n“Packing”\r\nThe code of the main executable (.text segment) isn’t packed, but a region in the .data section is encrypted using RC4 with\r\nthe password “dqrChZonUF”. The RC4 implementation looks like a direct copy of the code found in the FreeBSD and XNU\r\nkernel:\r\nhttps://github.com/freebsd/freebsd/blob/master/sys/crypto/rc4/rc4.c\r\nhttp://opensource.apple.com//source/xnu/xnu-1456.1.26/bsd/crypto/rc4/rc4.c\r\nThe only modification to the BSD RC4 implementation is the pointer to the global struct containing the function pointers to\r\nthe RC4 subroutines.\r\nAfter decrypting this large section, all the string literals are uncovered.\r\nimage of rc4 decrypt\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 3 of 17\n\nAlso, there are other regions inside of this decrypted region containing more encrypted blobs, like a Matryoshka doll. These\r\ncontain a Native executable, the UAC bypass DLL, and the 64-bit implementation of the exploit for CVE-2014-4113.\r\nFurthermore, the Native binary contains another binary blob, that is the compressed and encrypted final payload.\r\nTeam member, Caleb Fenton, correctly identified the compressed stream format used for these blobs as aPLib.\r\naPLib decompress\r\nAlthough RC4 isn’t an esoteric stream cipher, the decision by the author to use such a cipher shows a level of sophistication\r\nnot seen in typical crimeware.\r\nAnti-Debug, Anti-Sandbox, Anti-AV\r\nThe sample has an overwhelming number of checks to determine if it is in a sandbox, or if an antivirus application is\r\ninstalled. But why would the author go through so much trouble to evade sandboxes and AV products?\r\nThe strategy used by the author seems to be this:\r\nIf we are running in a virtual machine, sandbox, or under manual inspection by an analyst, encrypt the .data section\r\nand terminate prematurely.\r\nIf we are in an environment with Anti-Virus products installed, carefully enable and disable behaviors of the infection\r\nto avoid behavioral detection.\r\nThe following is a list of checks the sample performs in the order that they are executed.\r\nCPUID Check\r\nThis test is the least invasive of all the tests performed. It also would be hard for a virtualization-based sandbox to detect,\r\nbecause the CPUID instruction would be run on the physical CPU, and can’t be hooked.By running this test first, it will\r\ninsure that the sandbox log would not show any evidence of the process trying to inspect its environment. An analyst might\r\ndismiss the sample, because it doesn’t appear to be trying to detect the sandbox or virtual machine.The x86 instruction\r\nCPUID will report back features of the CPU. This instruction is normally used to check what features are supported by the\r\nCPU to avoid an “Invalid Instruction” exception before executing feature specific code. The sample uses this instruction to\r\nfind artifacts of a virtual machine.When the CPUID instruction is executed and the register EAX set to 0x80000002,\r\n0x80000003, or 0x80000004, the CPU fills registers EAX, EBX, ECX, and EDX with the “Product Brand String.” If the\r\nbrand string is found in the sample’s blacklist, the process will prematurely terminate.\r\nStrings check by CPUID where EAX=0x8000000x:\r\nIntel(R) Xeon(R) CPU\r\nCommon KVM processor\r\nCommon 32-bit KVM\r\nVirtual CPU\r\nIntel Celeron_4x0 (Conroe/Merom Class Core 2)\r\nWestmere E56xx/L56xx/X56xx (Nehalem-C)\r\nIntel Core 2 Duo P9xxx (Penryn Class Core 2)\r\nIntel Core i7 9xx (Nehalem Class Core i7)\r\nIntel Xeon E312xx (Sandy Bridge)\r\nAMD Opteron 240 (Gen 1 Class Opteron)\r\nAMD Opteron 22xx (Gen 2 Class Opteron)\r\nAMD Opteron 23xx (Gen 3 Class Opteron)\r\nAMD Opteron 62xx class CPU\r\nIntel CPU version\r\nMany of these CPU strings look legitimate, but are the exact strings used by KVM and QEMU.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 4 of 17\n\n# kvm -cpu ?\r\nx86 qemu64 QEMU Virtual CPU version 2.4.0\r\nx86 phenom AMD Phenom(tm) 9550 Quad-Core Processor\r\nx86 core2duo Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz\r\nx86 kvm64 Common KVM processor\r\nx86 qemu32 QEMU Virtual CPU version 2.4.0\r\nx86 kvm32 Common 32-bit KVM processor\r\nx86 coreduo Genuine Intel(R) CPU T2600 @ 2.16GHz\r\nx86 486\r\nx86 pentium\r\nx86 pentium2\r\nx86 pentium3\r\nx86 athlon QEMU Virtual CPU version 2.4.0\r\nx86 n270 Intel(R) Atom(TM) CPU N270 @ 1.60GHz\r\nx86 Conroe Intel Celeron_4x0 (Conroe/Merom Class Core 2)\r\nx86 Penryn Intel Core 2 Duo P9xxx (Penryn Class Core 2)\r\nx86 Nehalem Intel Core i7 9xx (Nehalem Class Core i7)\r\nx86 Westmere Westmere E56xx/L56xx/X56xx (Nehalem-C)\r\nx86 SandyBridge Intel Xeon E312xx (Sandy Bridge)\r\nx86 IvyBridge Intel Xeon E3-12xx v2 (Ivy Bridge)\r\nx86 Haswell-noTSX Intel Core Processor (Haswell, no TSX)\r\nx86 Haswell Intel Core Processor (Haswell)\r\nx86 Broadwell-noTSX Intel Core Processor (Broadwell, no TSX)\r\nx86 Broadwell Intel Core Processor (Broadwell)\r\nx86 Opteron_G1 AMD Opteron 240 (Gen 1 Class Opteron)\r\nx86 Opteron_G2 AMD Opteron 22xx (Gen 2 Class Opteron)\r\nx86 Opteron_G3 AMD Opteron 23xx (Gen 3 Class Opteron)\r\nx86 Opteron_G4 AMD Opteron 62xx class CPU\r\nx86 Opteron_G5 AMD Opteron 63xx class CPU\r\nx86 host KVM processor with all supported host features (only available in KVM mode)\r\nIf the check passes, the string is stored in the global struct for later testing.\r\nFurthermore, the CPUID instruction can be executed with the register EAX set to 0x40000000. This will return a string that\r\ncan be set by a hypervisor.\r\nBlacklist for CPUID where EAX=0x40000000:\r\nVMwareVMware\r\nXenVMMXenVMM\r\nKVMKVMKVM\r\nprl hyperv\r\nMicrosoft Hv\r\nMore about the CPUID can be found in the Intel Instruction Set Reference starting on page 3-\r\n179: http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf\r\nHostname Check\r\nThe sample contains a blacklist of hostnames. In the event the result of  GetComputerNameW()  is found in the blacklist,\r\nagain, the process terminates.\r\nbrbrb-d8fb22af1\r\njonathan-c561e0\r\navreview1-VMXP\r\nvwinxp-maltest\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 5 of 17\n\navreview-VMSunbox\r\ninfected-system\r\nGoogling these strings brings results that suggest that they are hostnames for sandboxes and honeypots. These hostnames are\r\nalso used in other malware samples as hostname blacklists.\r\nFilename Check\r\nBy a call to  GetModuleFileNameW()  the sample check its filename to see if it is in a location commonly used by sandboxes:\r\nFull string case insensitive compare:\r\nC:\\xxx\\sample.exe\r\nC:\\sample.exe\r\nC:\\Shared\\dum._vxe\r\nC:\\SniferFiles\\sample.exe\r\nC:\\virus\\virus.exe\r\nC:\\virus.exe\r\nc:\\sampel.exe\r\nC:\\setup.exe\r\nC:\\runme.exe\r\nc:\\VMRun\\Zample.exe\r\nc:\\FILE.EXE\r\nC:\\run\\temp.exe\r\nc:\\taskrun\\samples\\rtktst.exe.exe\r\nc:\\artifact.exe\r\nC:\\manual\\sunbox.exe\r\nC:\\1.exe\r\nString find:\r\nmalware.exe\r\n\\virus\\\r\nadmin\\downloads\\samp1e_\r\nsample_execution\r\nmlwr_smpl.exe\r\nAny file in this format where ‘x’ is any character.\r\n'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\\\\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx'\r\nThis format apears to be a GUID string. There must be some sandboxing technology that uses this format that the author was\r\naware of.\r\nFinally, it checks if a ‘Z:\\’ drive is present, then checks for the file ‘Z:\\VxStream’. This will detect if it is being run in\r\nthe VxStream Sandbox\r\nLook for DLLs associated with function hooking\r\nUser-space hooking is a technique used by anti-virus to detect what could be considered malicious behavior. The technique\r\nis also used by sandboxes to record a log of runtime behaviors of a process. The most common way of hooking a process is\r\nto inject a DLL into the process. This hooking DLL will patch system DLLs like kernel32.dll and ntdll.dll in memory. When\r\nthe process being hooked makes a call into these system DLLs, it will be redirected to a “detour” function inside of the\r\ninjected hooking dll. If the function call is determined to be benign, the control flow is allowed to continue into the system\r\nDLLs.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 6 of 17\n\nAnti-Virus products that utilize this technique tend to prefer hooking system DLLs like  kernel32.dll  over  ntdll.dll .\r\nThis is because hooking  ntdll.dll  is less reliable and requires more labor to write. The interface to  ntdll.dll  could\r\nchange on the whim of Microsoft, and isn’t documented well.  kernel32.dll  has a more predictable and constant interface\r\nand is well documented on MSDN.\r\nA malicious program wanting to avoid detection at runtime by a user-space hook might have some success calling directly\r\ninto  ntdll.dll instead of  kernel32.dll  because the underlying  ntdll.dll  functions may not be hooked.\r\nThe sample will look for injected DLLs associated with user-space hooks in its process space by making a call\r\nto  ntdll!LdrGetDllHandle() instead of the more common  kernel32!GetModuleHandle() . By calling directly into the ntdll\r\nimplementation, hooks on the kernel32 layer can be avoided. If a DLL associated with hooking is discovered, the programs\r\nbehavior can be altered to specifically avoid detection by these products.\r\nIf a DLL is found, the result is stored so that future malicious functionality can be suppressed, or specific techniques to\r\navoid detection can be utilized.\r\nThe hooking DLL black-list:\r\nDLL File Name Vendor\r\navcuf32.dll BitDefender\r\nBgAgent.dll BullGuard\r\nguard32.dll COMODO\r\nwl_hook.dll Agnitum\r\nQOEHook.dll Qurb\r\na2hooks32.dll Emsisoft\r\nLooking for Sandbox Artifacts on the File System\r\nIf any of this files or directories are found, the process terminates prematurely. These files appear to be associated with\r\nsandbox software.\r\nC:\\agent\\agent.pyw\r\nC:\\sandbox\\starter.exe\r\nc:\\ipf\\BDCore_U.dll\r\nC:\\cwsandbox_manager\r\nC:\\cwsandbox\r\nC:\\Stuff\\odbg110\r\nC:\\gfisandbox\r\nC:\\Virus Analysis\r\nC:\\iDEFENSE\\SysAnalyzer\r\nc:\\gnu\\bin\r\nC:\\SandCastle\\tools\r\nC:\\cuckoo\\dll\r\nC:\\MDS\\WinDump.exe\r\nC:\\tsl\\Raptorclient.exe\r\nC:\\guest_tools\\start.bat\r\nC:\\tools\\aswsnx\\snxcmd.exe\r\nC:\\Winap\\ckmon.pyw\r\nc:\\tools\\decodezeus\r\nc:\\tools\\aswsnx\r\nC:\\sandbox\\starter.exe\r\nC:\\Kit\\procexp.exe\r\nc:\\tracer\\mdare32_0.sys\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 7 of 17\n\nC:\\tool\\malmon\r\nC:\\Samples\\102114\\Completed\r\nc:\\vmremote\\VmRemoteGuest.exe\r\nd:\\sandbox_svc.exe\r\nChecking Number of CPU Cores\r\nRemember how the CPUID “Product Brand String” was stored for later use? Here’s why. If the CPU should have more than\r\n1 core, but the operating system only reports 1 core, it’s likely running inside a virtual machine.\r\nA call is made to  RtlGetNativeSystemInformation(SystemBasicInformation, ...) . This call will fill the contents of\r\na  struct SYSTEM\\_BASIC\\_INFORMATION  struct. The sample checks the\r\nfield  \\_SYSTEM\\_BASIC\\_INFORMATION.NumberOfProcessors  and if the value is 1 and the CPU Product Brand String\r\nreported should have more than one core, the process is terminated.\r\nCPU brand strings that are checked:\r\n'Intel(R) Core(TM) i7'\r\n'Intel(R) Core(TM) i5'\r\n'Intel(R) Core(TM) i3'\r\n'Intel(R) Core(TM)2 Duo CPU'\r\nNtQuerySystemInformation() _SYSTEM_INFORMATION_CLASS enum in ReactOS\r\nsource  RtlGetNativeSystemInformation()  seems to be similar to  NtQuerySystemInformation()  documented on MSDN\r\nhere.\r\nI found an unofficial source of the  struct SYSTEM_BASIC_INFORMATION  here: http://masm32.com/board/index.php?\r\ntopic=3400.0\r\nReactOS struct _SYSTEM_BASIC_INFORMATION\r\nYet Another DLL hooking blacklist\r\nThese DLLs are associated with software used to manually analyze samples.\r\ndir_watch.dll\r\ntracer.dll\r\nSbieDll.dll\r\nAPIOverride.dll\r\nNtHookEngine.dll\r\napi_log.dll\r\nLOG_API.DLL\r\nLOG_API32.DLL\r\nntdll!LdrGetDllHandle()\r\nIf any of these DLLs are loaded, the process terminates.\r\nKernel Driver Check\r\nReactOS RtlGetNativeSystemInformation is just NtQuerySystemInformation\r\nReactOS SystemModuleInformation \r\nA call to  ntdll!RtlGetNativeSystemInformation(SystemModuleInformation, ...)  is made. This returns a list of all loaded\r\nkernel drivers.\r\nEach kernel module is compared to a blacklist that is organized by vendor.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 8 of 17\n\nIf any of these drivers are found, the process will terminate.\r\n???\r\ntaskrun\\bruta\\kbruta.sys\r\ntaskrun\\bruta\\TBM.sys\r\nSandbox, VM, and SysInternals drivers\r\nvmx_svga.sys\r\nvmmouse.sys\r\nxennet.sys\r\nCaptureProcessMonitor.sys\r\nCaptureRegistryMonitor.sys\r\nCaptureFileMonitor.sys\r\nCWSandboxWatchdogDri (sic)\r\nVBoxVideo.sys\r\nIf any of the following drivers are found, it is noted in the global struct, for later evasion techniques.\r\nQuick Heal (Indian)\r\nbdsnm.sys\r\nbdsflt.sys\r\nggc.sys\r\ncatflt.sys\r\nwsnf.sys\r\nllio.sys\r\nmscank.sys\r\nEMLTDI.SYS\r\nZoneAlarm\r\nvsdatant.sys\r\nQihoo 360 (Chinese)\r\n360Box.sys\r\n360Box64.sys\r\n360Camera.sys\r\n360Camera64.sys\r\n360SelfProtection.sys\r\n360AntiHacker.sys\r\n360AntiHacker64.sys\r\n360AvFlt.sys\r\nPC Tools (now part of Norton Security)\r\npctNdis.sys\r\npctNdisLW64.sys\r\nNorton 360\r\n360AvFlt.sys\r\n360FsFlt.sys\r\nK7 Computing (Indian)\r\nK7Sentry.sys\r\nK7FWFilt.sys\r\nK7TdiHlp.sys\r\nTrust Port (Czech Republic)\r\ntpsec.sys\r\nPrivacyware (US)\r\npwipf6.sys\r\nMicroWorld escan (US, India)\r\nmwfsmflt.sys\r\nProcObsrvesx.sys\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 9 of 17\n\nbdfsfltr.sys\r\neconceal.sys\r\nFilseclab (Chinese)\r\nffsmon.sys\r\nfildds.sys\r\nfilmfd.sys\r\nfilppd.sys\r\nKaspersky\r\nkl1.sys\r\nklif.sys\r\nkltdi.sys\r\nkneps.sys\r\nklkbdflt.sys\r\nklmouflt.sys\r\nG Data (German)\r\nGDBehave.sys\r\nGDNdisIc.sys\r\ngdwfpcd64.sys\r\ngdwfpcd32.sys\r\nArcabit (Polish)\r\nABFLT.sys\r\nAvast (Czech Republic)\r\naswMonFlt.sys\r\naswRvrt.sys\r\naswRdr2.sys\r\naswVmm.sys\r\naswNdisFlt.sys\r\naswSnx.sys\r\naswSP.sys\r\naswStm.sys\r\nAvira (German)\r\navnetflt.sys\r\navkmgr.sys\r\navipbb.sys\r\navgntflt.sys\r\nESET (Slovakia)\r\nEpfwLWF.sys\r\nepfwwfp.sys\r\neamonm.sys\r\nehdrv.sys\r\nepfw.sys\r\neelam.sys\r\nBaidu (Chinese)\r\nBfilter.sys\r\nBfmon.sys\r\nBhbase.sys\r\nAVG (Czech Republic)\r\navgdiskx.sys\r\navgidsdriverlx.sys\r\navgtdix.sys\r\navgunivx.sys\r\nAnti-Process\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 10 of 17\n\nThis will only execute if something was found in the kernel module check. (???)\r\nThe process list is enumerated by calling RtlGetNativeSystemInformation(5)\r\nReactOS 5 == proc info\r\nMSDN SYSTEM_PROCESS_INFORMATION\r\nIf a process with this filename is found, its process id is recorded, and later terminated.\r\nThis is where the author prepares an attack on the analyst’s psyche. So far, the process only detects sandbox, VM, and\r\nantivirus, but this list of tools are usually run manually by an analyst. By detecting their presence but not immediately\r\nterminating them, instead delaying the termination until a later part of the process, can give some analyst nightmares.\r\napispy.exe\r\nautoruns.exe\r\nautorunsc.exe\r\ndumpcap.exe\r\nemul.exe\r\nfortitracer.exe\r\nhookanaapp.exe\r\nhookexplorer.exe\r\nidag.exe\r\nidaq.exe\r\nimportrec.exe\r\nimul.exe\r\njoeboxcontrol.exe\r\njoeboxserver.exe\r\nmulti_pot.exe\r\nollydbg.exe\r\npeid.exe\r\npetools.exe\r\nproc_analyzer.exe\r\nprocexp.exe\r\nprocmon.exe\r\nregmon.exe\r\nscktool.exe\r\nsniff_hit.exe\r\nsysanalyzer.exe\r\nvmsrvc.exe\r\nvmtoolsd.exe\r\nvmusrvc.exe\r\nvmwaretray.exe\r\nFor each process, a call to  QueryFullProcessImageNameW()  is made and compared against a second blacklist. If any string\r\nin the blacklist occurs in the full image name, the process terminates.\r\nTHESE AREN’T SANDBOXES OR A/V, ARE THEY????\r\n\\oracle\\product\\\r\n\\OraHome_1\\perl\\\r\n\\dbhome_1\\perl\\bin\r\n\\ZKTeco\\ZKAccess\\\r\n\\oracle\\FRHome_1\\perl\\\r\n\\Oracle\\Middleware\\\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 11 of 17\n\nIs File Name [hash].exe Check\r\nIn the Anti-Virus industry, it is extreamly common to rename a sample’s filename to its hash value. This is done to easily\r\nidentify a sample, and to store it with a unique filename. Typical hash algorithms that are used are MD5, SHA-1, and SHA-256.\r\nThis sample will read itself off of the disk, then calculate its checksum. Then it will see if the hex-string of the checksum is\r\nfound in its filename.\r\nCheck filename contains hex hash\r\nIs VMware Tools Installed Check\r\nNext, the sample checks if these two directories exist. If either exist, the process is terminated.\r\nC:\\Program Files\\VMware\\VMware Tools\r\nC:\\Program Files (x86)\\VMware\\VMware Tools\r\nHard Disk Vendor Check\r\nThe children of these two registry keys are enumerated:\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\IDE\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\SCSI\r\nThe values are check against a blacklist containing virtualized hard disk vendors.\r\nQEMU_\r\nVMware\r\nVen_Red_Hat\u0026Prod_VirtIO\r\nDiskVBOX\r\nDiskVirtual\r\nIf a value is found in the blacklist, the process is terminated.\r\nMisc Hardware Vendors and BIOS Checks\r\nThese hardware specific registry keys are check. If they exist, the process terminates.\r\n\\Registry\\Machine\\HARDWARE\\ACPI\\DSDT\\VBOX__\\VBOXBIOS\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\ACPI\\Hyper_V_Gen_Counter_V1\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\ACPI\\XEN0000\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\XENBUS\\CLASS_VBD\u0026REV_02\r\nIn the same function,  \\Registry\\Machine\\HARDWARE\\DESCRIPTION\\System\\  is queried and checked against this blacklist:\r\nSystemBiosVersion\r\n‘BOCHS – 1’\r\n‘VBOX – 1’\r\n‘PRLS – 1’\r\nVideoBiosVersion\r\n‘VirtualBox’\r\nIf any of these registry keys match, the process is terminated.\r\nAnti Network Interface Card (NIC) Check\r\nThis check is skipped if kernel modules associated with “Privacyware” where detected. I’m assuming “Privacyware” detects\r\nthe API calls in this check as malicious.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 12 of 17\n\nThis function check the NICs that are installed, and calls to  IPHLPAPI!GetAdaptersInfo()\r\nMeeting these condition will cause a premature termination.\r\nRealtek RTL8139 Family PCI Fast Ethernet NIC\r\nalso username is ‘antonie’\r\nalso ‘c:\\downloads\\’ exists\r\nRealtek RTL8139C+ Fast Ethernet NIC\r\nalso username is ‘Antony’\r\nalso ‘c:\\downloads\\’ exists\r\nThese network cards will get terminated out-right:\r\nVMware Accelerated AMD PCNet Adapter\r\nMicrosoft Virtual Machine Bus Network Adapter\r\nMicrosoft Hyper-V Network Adapter\r\nAdaptador de red de bus de m?quina virtual de Microsoft\r\nIf the network card is NOT one of these, it will check the MAC address:\r\nVMware Virtual Ethernet Adapter for VMnet8\r\nVMware Virtual Ethernet Adapter for VMnet1\r\nVirtualBox Host-Only Ethernet Adapter\r\nThese MAC addresses will result in a premature termination:\r\nMAC address OUI Information Notes\r\n00:01:02:03:04:xx 3COM defunt, obvious bogus mac address\r\n00:03:FF:xx:xx:xx Microsoft Corporation doesn’t make physical hardware?\r\n00:0C:29:xx:xx:xx VMware, Inc.\r\n08:00:27:xx:xx:xx Cadmus Computer Systems VirtualBox\r\n00:07:e9:e4:ce:4d Intel 0 results on google\r\n00:30:18:ab:d7:f2 Jetway Information Co., Ltd. 0 results on google\r\n00:ff:f2:f8:30:xx Dell?? VirtualBox??\r\n00:50:56:xx:xx:xx VMware, Inc.\r\n52:54:00:12:34:56 Realtek copypasta QEMU startup script?\r\n00:1c:42:xx:xx:xx Parallels, Inc. VMware product\r\n00:15:5d:xx:xx:xx Microsoft Corporation\r\n00:1d:d8:xx:xx:xx Microsoft Corporation\r\nI would like to know who owns the “00:07:e9:e4:ce:4d” and “00:30:18:ab:d7:f2”. If they are burnt onto a physical device,\r\nit’s either a development machine, or a targeted machine to be specifically avoided.\r\nWindow Title Check\r\nPairs of window class names and titles are check for, and if one is found, the samples’s process is terminated prematurely.\r\nThese tools are used by analysts and some are used by sandboxes.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 13 of 17\n\nWindow Class Window Title\r\nPROCEXPL sysinternals\r\nPROCMON_WINDOW_CLASS sysinternals\r\nAutoruns sysinternals\r\nTCPViewClass sysinternals\r\n0 TCPView – Sysinternals: www.sysinternals.com\r\n0 File Monitor – Sysinternals: www.sysinternals.com\r\n0 Registry Monitor – Sysinternals: www.sysinternals.com\r\n0 Process Monitor – Sysinternals: www.sysinternals.com\r\ngdkWindowToplevel Wireshark\r\nAPI_TRACE_MAIN 0\r\n0 Wget [100%%] http://tristan.ssdcorp.net/guid\r\n0 C:\\Program Files\\Wireshark\\dumpcap.exe\r\n0 C:\\wireshark\\dumpcap.exe\r\n0 C:\\SandCastle\\tools\\FakeServer.exe\r\n0 C:\\Python27\\python.exe\r\n0 start.bat – C:\\Manual\\auto.bat\r\n0 Fortinet Sunbox\r\n0 PEiD v0.95\r\n0 Total Commander 7.0 – Ahnlab Inc.\r\n0 Total Commander 6.53 – GRISOFT, s.r.o.\r\n0 Total Commander 7.56a – Avira Soft\r\n0 Total Commander 7.56a – ROKURA SRL\r\n0 C:\\strawberry\\perl\\bin\\perl.exe\r\nThunderRT6FormDC SysAnalyzer\r\nTfrmMain All-Seeing Eye\r\nAfx:400000:b:10011:6:350167 Malicious Code Monitor v1.7.6 For NT(x86) – (ariesike@naver.com)\r\nTApplication Mouse Move – by RJL Software, Inc.\r\nSmartSniff SmartSniff\r\nConsoleWindowClass VxStream Kernel Service Manager\r\nRegistry Key Notes\r\n\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Iris Network Traffic Analyzer\r\n\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\InstallWatch Pro 2.5\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 14 of 17\n\nRegistry Key Notes\r\n\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SysAnalyzer_is1\r\n\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall{13BE68B1-7498-48AB-9D22-\r\nAD3AB6532531}\r\nAPI Monitor\r\nAlpha\r\n\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Oracle VM VirtualBox Guest Additions\r\n\\Registry\\Machine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Oracle VM VirtualBox\r\nGuest Additions\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE\u0026DEV_BEEF\u0026SUBSYS_00000000\u0026REV_00\r\nVirtualBox\r\nGraphics De\r\nDrivers\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE\u0026DEV_CAFE\u0026SUBSYS_00000000\u0026REV_00\r\nVirtualBox G\r\nService Devi\r\nDrivers\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333\u0026DEV_8811\u0026SUBSYS_00000000\u0026REV_00\r\nS3 Video Ca\r\n(used by virt\r\nmachines)\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8\u0026DEV_4005\u0026SUBSYS_04001AB8\u0026REV_00\r\nParallels Dis\r\nWDDM Dev\r\nDrivers\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8\u0026DEV_4000\u0026SUBSYS_04001AB8\u0026REV_00\r\nParallels Too\r\nDevice Drive\r\n\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8\u0026DEV_4006\u0026SUBSYS_04061AB8\u0026REV_00\r\nParallels Me\r\nController\r\n\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall{25AD16E5-F48B-4455-83D7-\r\n849D600475A4}\r\nWinalysis\r\nWindowexeA\r\n?\r\n\\Registry\\Machine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Iris Network Traffic\r\nAnalyzer\r\n\\Registry\\Machine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SysAnalyzer_is1\r\n\\Registry\\Machine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\InstallWatch Pro 2.5\r\n\\Registry\\Machine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall{13BE68B1-7498-\r\n48AB-9D22-AD3AB6532531}\r\nAPI Monitor\r\nAlpha\r\n\\Registry\\Machine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall{25AD16E5-F48B-4455-83D7-849D600475A4}\r\nWinalysis\r\nWindowexeA\r\n?\r\nVMXh VMWare Check\r\nThe sample checks for the presence of VMware, by trying to execute a Intel  IN  instruction with EAX set to the value\r\n‘VMXh’. The  IN  instruction is a privileged instruction, and outside of the VMware guest, would result in a General\r\nProtection Fault exception. But inside a VMWare guest, the fault is not generated. VMWare uses this as a way for its guest\r\nsoftware to communicate to the host. It is documented here.\r\nThe specific technique to detect VMWare is here.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 15 of 17\n\nThis is how the sample implements the check:\r\nVMXh\r\nBecause this portion must be written in assembly, I assume the NOPs are to thwart any static detection on the opcodes.\r\nDirect3D Video Card Check\r\nUsing the Direct3D interface, the sample is able to enumerate information about the installed video adapters. If the video\r\ncards are vendors are in the blacklist, the process prematurely terminates.\r\nVendor Blacklist:\r\nVendorID Vendor Name Notes\r\n0x15ad VMWare Inc.\r\n0x80ee Oracle Corp. Virtual Box\r\n0x1013 Cirrus Logic Bochs and QEMU\r\nVendor Whitelist:\r\nVendorID Vendor Name\r\n0x8086 Intel\r\n0x10de Nvidia\r\n0x1002 AMD\r\nNow, because there is a whitelist and a blacklist, there exists a possibility that the device was not in either list. In the event\r\nof this case, the tie is settled by calling  GetCursorPosition() . If there are 15 mouse movements, then the sample assumes\r\nthat it is not in a sandbox, and continues execution. If there isn’t 15 mouse movements, the sample just blocks, waiting for\r\nthe movements to occur. During this waiting period, the .data section is re-encrypted. If the sample where in a sandbox, it\r\nwould be stuck in this loop, waiting. When the sandbox times-out, it might dump the contents of memory. By re-encrypting\r\nthe .data section, it will be encrypted in the data dump.\r\nA common feature of sandboxes is a “mouse mover.” The mouse mouse mover will make an application think there is a user\r\non the workspace by moving the mouse cursor around.\r\nThe sample also utilizes direct system calls to make the call to  GetCursorPosition() . This technique will bypass any user-space hooks that might try to move the mouse automatically.\r\nAvoiding userspace hooks by doing manual syscall\r\nNative Application Binary\r\nThe beginning of this binary has many anti-VM and anti-sandboxing techniques. just like the previous binary. It also\r\nallocates a large struct containing function pointers like the previous binary.\r\nThis portion of the sample is encrypted and compressed in the .data segment. As mentioned before, it written to disk in a\r\nNTFS ADS and at boot time before all the windows subsystems are loaded. If you have ever upgraded to windows 2000,\r\nyou will remember that the installation could upgrade the filesystem from FAT 32 to NTFS. This portion of the sample runs\r\nat the same point as the file system upgrade code would run.\r\nAn example project using this technique can be found on codeproject.com\r\nThe Native binary is written in the same style as the parent. A large struct is allocated on the heap that stores function\r\npointers. It also uses RC4 to encrypt its string literals, and contains the final payload compressed using aplib.\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 16 of 17\n\nThe goal of this portion of the sample is to remove a large number of anti-virus software. It will also modify the  host  used\r\nby the DNS client. There are many records for anti-virus update servers that get set to  0.0.0.0 , effectively stoping any\r\nview anti-virus installed from being able to update its definitions.\r\nhostfile\r\nIt finishes by dropping the final payload to  %SystemRoot%\\rdpinst.exe  and ensuring that it runs later in boot-up by setting\r\na registry value in \\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce .\r\nFinal Payload\r\nThe payload shares some similarities with the other binaries, but unlike the past two, it doesn’t allocate a large struct and fill\r\nit with function pointers.\r\nThe final payload collects recon from the infected machine and reports back to its C2 server over HTTP.\r\npcap showing http connection\r\nOne unique feature of all the traffic collected is that the HTTP host field is always  nullptr .\r\nSample Information\r\nSha-256: 766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963\r\n* `638d549a24bb0a28e462c70880bf3f979f137cc6`: Main Sample\r\n* `ce0633d8be65202870e7b916e7bec5a0218cbbbb`: Packed Native API Application binary\r\n* 14598af84ee2dbd88d3fff0b60aba829a412dfbe3`: Packed rdpinst.exe (payload)\r\n* `643b295ee6985251d771b7962f2b2fc69e36f5c2`: Packed UAC bypass dll\r\n* `c803eb5e8a4a4e31e8168557d82ff54d68f3832d`: Packed 64-bit CVE-2014-4113 exploit\r\nIf you would like to learn more about this specific attack and how you can prevent it, contact us and we’d be happy to advise\r\non a one-to-one basis.\r\nSource: https://sentinelone.com/blogs/sfg-furtims-parent/\r\nhttps://sentinelone.com/blogs/sfg-furtims-parent/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sentinelone.com/blogs/sfg-furtims-parent/"
	],
	"report_names": [
		"sfg-furtims-parent"
	],
	"threat_actors": [],
	"ts_created_at": 1775791332,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34a05c8ccdb6658c87806ba185a7335b2f01ae22.pdf",
		"text": "https://archive.orkl.eu/34a05c8ccdb6658c87806ba185a7335b2f01ae22.txt",
		"img": "https://archive.orkl.eu/34a05c8ccdb6658c87806ba185a7335b2f01ae22.jpg"
	}
}