{
	"id": "b6878e8d-e1f5-4000-99d3-7716650175aa",
	"created_at": "2026-04-06T00:08:18.004635Z",
	"updated_at": "2026-04-10T03:20:24.377026Z",
	"deleted_at": null,
	"sha1_hash": "86e3bf662a539831063318fd2b4f9ba3974b3409",
	"title": "Hunting down Dofoil with Windows Defender ATP | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192994,
	"plain_text": "Hunting down Dofoil with Windows Defender ATP | Microsoft\r\nSecurity Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2018-04-04 · Archived: 2026-04-05 18:09:16 UTC\r\nDofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of\r\ncomputers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in\r\nWindows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software\r\nupdate poisoning campaign several weeks prior. Notably, customers of Windows 10 S, a special Windows 10\r\nconfiguration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak.\r\nIn this blog post, we will expound on Dofoil’s anti-debugging and anti-analysis tactics, and demonstrate how the\r\nrich detection libraries of Windows Defender Advanced Threat Protection and Windows Defender Exploit Guard\r\ncan help during investigation.\r\nWe found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual\r\nmachine environments. It also checks for various analysis tools and kills them right away. This can make malware\r\nanalysis and assessment challenging.\r\nThe following diagram shows the multi-stage malware execution process, which includes checks for traits of\r\nanalysis environments during some stages.\r\nFigure 1. Dofoil multi-stage shellcode and payload execution flow\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 1 of 14\n\nThe table below describes the purpose of each stage. The first five stages have at least one or two different\r\ntechniques that can deter dynamic or static malware analysis.\r\nSTAGES DESCRIPTION\r\n1. Obfuscated wrapper code\r\nAnti-heuristics\r\nAnti-emulation\r\n2. Bootstrap module Performs self-process hollowing to load the next module\r\n3. Anti-debugging module Performs anti-debugging operation\r\n4. Trojan downloader\r\nmodule\r\nPerforms system environment checks\r\nPerforms anti-VM operation\r\nInjects itself to explorer.exe through process hollowing\r\n5. Trojan downloader\r\nmodule in explorer.exe\r\nContacts C\u0026C server to download trojan and run it using\r\nprocess hollowing technique\r\n6. Payload downloader\r\nmodule in explorer.exe\r\nContacts C\u0026C server to download the main payload\r\n7. Trojan module\r\nSteals credentials from various application settings and sends\r\nstolen into to the C\u0026C server over HTTP channel\r\n8. CoinMiner.D Mines digital currencies\r\nTable 1. Dofoil’s multi-stage modules\r\nInitial stages\r\nThe first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following\r\ntechniques to avoid analysis and identification.\r\nANTI-ANALYSIS\r\nTECHNIQUES\r\nDESCRIPTION\r\nBenign code\r\ninsertion\r\nInserts a huge benign code block to confuse heuristics and manual inspection\r\nAnti-emulation Enumerates an arbitrary registry key (HKEY_CLASSES_ROOT\\Interface\\\r\n{3050F557-98B5-11CF-BB82-00AA00BDCE0B}) and compares the data with\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 2 of 14\n\nan expected value (DispHTMLCurrentStyle) to check if the malware runs\r\ninside an emulator\r\nSelf-process\r\nhollowing\r\nUses the process hollowing technique on the current process, making analysis\r\nextra difficult due to the altered code mapping\r\nDebugger\r\nchecks\r\nChecks for debuggers, and modifies code to crash. This can add additional\r\nlayer of confusion to researchers, who are bound to investigate the cause of the\r\ncrashes. It checks for the PEB.BeingDebugged and PEB.NtGlobalFlag fields in\r\nthe PEB structure. For example, PEB.BeingDebugged is set to 1 and\r\nPEB.NtGlobalFlag is set to\r\nFLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK|\r\nFLG_HEAP_VALIDATE_PARAMETERS when a debugger is attached to the\r\nprocess.\r\nTable 2. Anti-analysis techniques \r\nThe first stage contains some benign-looking code before the actual malicious code. This can give the executable a\r\nharmless appearance. It can also make the emulation of the code difficult because emulating various API calls that\r\nare not present in many malware codes can be challenging.\r\nThe first-stage code also performs a registry key enumeration to make sure it has the expected value. When all\r\nchecks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main module’s memory, and then decodes the third-stage shellcode into that memory – this is\r\nknown as a self-process hollowing technique.\r\nFigure 2. Self-modification based on PEB.BeingDebugged value\r\nWindows Defender ATP’s process tree can help with investigation by exposing these anti-debugging techniques.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 3 of 14\n\nFigure 3. Windows Defender ATP process tree showing anti-debugging techniques\r\nTrojan downloader module\r\nThe trojan downloader module performs various environment checks, including virtual environment and analysis\r\ntool checks, before downloading the payload.\r\nANTI-ANALYSIS\r\nTECHNIQUES\r\nDESCRIPTION\r\nCheck module\r\nname\r\nChecks if the main executable name contains the string “sample”\r\nCheck volume\r\nserial\r\nChecks if current volume serial number is 0xCD1A40 or 0x70144646\r\nCheck modules Checks the presence of DLLs related to debuggers\r\nCheck disk-related registry\r\nkeys\r\nChecks the value of the registry key\r\nHKLM\\System\\CurrentControlSet\\Services\\Disk\\Enum against well-known disk name patterns for virtual machines (qemu, virtual, vmware,\r\nxen, ffffcce24)\r\nProcess check Checks running processes and kills those with processes names\r\nassociated with analysis tools (procexp.exe, procexp64.exe, procmon.exe,\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 4 of 14\n\nprocmon64.exe, tcpview.exe, wireshark.exe, processhacker.exe,\r\nollydbg.exe, idaq.exe, x32dbg.exe)\r\nWindows class\r\nname check\r\nChecks the current Windows class names and exits when some well-known names are found (Autoruns, PROCEXPL,\r\nPROCMON_WINDOW_CLASS, TCPViewClass, ProcessHacker,\r\nOllyDbg, WinDbgFrameClass)\r\nTable 3. Anti-analysis technique of Dofoil’s trojan downloader module\r\nThe list of target process names and Windows class names exist in custom checksum form. The checksum\r\nalgorithm looks like the following:\r\nFigure 4. Shift and XOR custom checksum algorithm\r\nThe purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it\r\ndetects, making analysis more time-consuming.\r\nSTRING CHECKSUM\r\nAutoruns 0x0E5C1C5D\r\nPROCEXPL 0x1D421B41\r\nPROCMON_WINDOW_CLASS 0x4B0C105A\r\nTCPViewClass 0x1D4F5C43\r\nProcessHacker 0x571A415E\r\nOllyDbg 0x4108161D\r\nWinDbgFrameClass 0x054E1905\r\nprocexp.exe 0x19195C02\r\nprocexp64.exe 0x1C0E041D\r\nprocmon.exe 0x06185D0B\r\nprocmon64.exe 0x1D07120A\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 5 of 14\n\ntcpview.exe 0x060B5118\r\nwireshark.exe 0x550E1E0D\r\nprocesshacker.exe 0x51565C47\r\nollydbg.exe 0x04114C14\r\nx32dbg.exe 0x5F4E5C04\r\nidaq.exe 0x14585A12\r\nTable 4. String checksum table used for process names and Windows class names\r\nProcess hollowing\r\nDofoil heavily uses the process hollowing technique. Its main target for process hollowing is explorer.exe. The\r\nDofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the\r\nentry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread API, but\r\ncan still achieve code injection.\r\nFigure 5. Modification of explorer.exe entry point code\r\nWindows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following\r\nprocess tree shows that the malware injects itself into explorer.exe using the process hollowing technique.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 6 of 14\n\nFigure 6. Windows Defender ATP alert process tree showing the first process hollowing\r\nWhen the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into\r\nusing process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the\r\nmalicious actions, eliminating the need for guessing what these newly spawned Windows system processes are\r\ndoing.\r\nFigure 7. Windows Defender ATP alert process tree showing the second process hollowing\r\nThe process hollowing behavior can be detected through Exploit protection in Windows Defender Exploit Guard.\r\nThis can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection\r\nhappens when the shellcode goes through the export addresses of the modules to find the export address of the\r\nLoadLibraryA and GetProcAddress functions.\r\nFigure 8. Export Address Filter (EAF) event exposed in Event viewer\r\nWindows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal:\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 7 of 14\n\nFigure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event\r\nAdding Windows Defender Exploit Guard EAF audit/block policy to common system processes like explorer.exe,\r\ncmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques\r\ncommonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we\r\nrecommend testing Windows Defender Exploit Guard with audit mode enabled before enforcement.\r\nCommand-and-control (C\u0026C) and NameCoin domains\r\nDofoil’s C\u0026C connection is very cautious. The trojan code first tries to connect to well-known web pages and\r\nverifies that the malware has proper and real Internet connection, not simulated as in test environments. After it\r\nmakes sure it has a real Internet connection, the malware makes HTTP connections to the actual C\u0026C servers.\r\nFigure 10. Access to known servers to confirm Internet connectivity\r\nThe malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that\r\nprovides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use\r\nspecific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because\r\nNameCoin uses blockchain technology, you can query the history of the domain name changes through blocks.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 8 of 14\n\nFigure 11. Malicious hostname DNS entry changes over time (https://namecha.in/name/d/vrubl)\r\nWindows Defender ATP can provide visibility into the malware’s network activities. The following alert process\r\ntree shows the malware’s .bit domain resolution activity and, after that, the connections to the resolved C\u0026C\r\nservers. You can also view other activities from the executable, for example, its connections to other servers using\r\nSMTP ports.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 9 of 14\n\nFigure 12. Windows Defender ATP alert process tree showing C\u0026C server connection through NameCoin server\r\nname resolution\r\nThe Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down\r\nmore malware samples that possibly abuse NameCoin servers. For example, the following advanced hunting\r\nquery finds recent connections to Dofoil C\u0026C servers from your network. This can lead to extra insights on other\r\nthreats that use the same NameCoin servers.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 10 of 14\n\nFigure 13. Advanced hunting for other threats using the same NameCoin servers\r\nThe purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central\r\nauthorities on the NameCoin domain name records, it is not possible for the authorities to change the domain\r\nrecord. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full\r\nshutdown of those servers very difficult.\r\nConclusion\r\nDofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to\r\nmake sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis\r\ntime-consuming and can mislead malware analysis systems.\r\nIn attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP) can\r\nhelp network defenders analyze the timeline from the victim machine and get rich information on process\r\nexecution flow, C\u0026C connections, and process hollowing activities. With the new advanced hunting capabilities in\r\npreview, you can run powerful custom queries and pivot freely to different sets of possible targets, malicious\r\nentities, and suspicious activity. Windows Defender ATP can also be used as an analysis platform with fine-tuned\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 11 of 14\n\nvisibility into system activities when set up in a lab environment. This can save time and resource during malware\r\ninvestigation.\r\nIn addition, Windows Defender Exploit Guard can be useful in finding malicious shellcodes that traverse export\r\naddress tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and\r\nexploit activities.\r\nWindows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates\r\nprotections from other Microsoft solutions, including Windows Defender AV and Windows Defender Application\r\nGuard. This integrated security management experience makes Windows Defender ATP a comprehensive solution\r\nfor detecting and responding to a wide range of malicious activities across the network.\r\nWindows 10 S, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by\r\nworking exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This\r\nstreamlined, Microsoft-verified platform seals common malware entry points.\r\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced\r\nattacks, sign up for a free trial.\r\nMatt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich\r\nWindows Defender ATP Research\r\nIndicators of compromise (IoCs)\r\nTrojanDownloader:Win32/Dofoil.AB:\r\nd191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d\r\neaa63f6b500afedcaeb8d5b18a08fd6c7d95695ea7961834b974e2a653a42212\r\ncded7aedca6b54a6d4273153864a25ccad35cba5cafeaec828a6ad5670a5973a\r\nTrojan:Win32/Dofoil.AB:\r\n070243ad7fb4b3c241741e564039c80ca65bfdf15daa4add70d5c5a3ed79cd5c\r\n5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299C\r\n28ce9763a808c4a7509e9bf92d9ca80212a241dfa1aecd82caedf1f101eac692\r\n5d7875abbbf104f665a0ee909c372e1319c5157dfc171e64ac2bc8b71766537f\r\nTrojan:Win32/CoinMiner.D\r\n2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12\r\nC\u0026C URLs:\r\nhxxp://levashov.bit/15022018/\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 12 of 14\n\nhxxp://vrubl.bit/15022018/\r\nC\u0026C server:\r\nvinik.bit\r\nRelated .bit domains (updated in same block as C\u0026C server):\r\nhenkel.bit\r\nmakron.bit\r\nmakronwin.bit\r\nNameCoin servers used by Dofoil:\r\n139.59.208.246\r\n130.255.73.90\r\n31.3.135.232\r\n52.174.55.168\r\n185.121.177.177\r\n185.121.177.53\r\n62.113.203.55\r\n144.76.133.38\r\n169.239.202.202\r\n5.135.183.146\r\n142.0.68.13\r\n103.253.12.18\r\n62.112.8.85\r\n69.164.196.21\r\n107.150.40.234\r\n162.211.64.20\r\n217.12.210.54\r\n89.18.27.34\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 13 of 14\n\n193.183.98.154\r\n51.255.167.0\r\n91.121.155.13\r\n87.98.175.85\r\n185.97.7.7\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nFollow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.\r\nSource: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/"
	],
	"report_names": [
		"hunting-down-dofoil-with-windows-defender-atp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434098,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86e3bf662a539831063318fd2b4f9ba3974b3409.pdf",
		"text": "https://archive.orkl.eu/86e3bf662a539831063318fd2b4f9ba3974b3409.txt",
		"img": "https://archive.orkl.eu/86e3bf662a539831063318fd2b4f9ba3974b3409.jpg"
	}
}