{
	"id": "1ea1946b-eb83-4938-9872-e8f65fccaf23",
	"created_at": "2026-04-06T01:29:30.754363Z",
	"updated_at": "2026-04-10T03:30:33.906564Z",
	"deleted_at": null,
	"sha1_hash": "c8a4bd6b756f18d222d542f5091e6385dcc1c5ea",
	"title": "SASFIS - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46850,
	"plain_text": "SASFIS - Threat Encyclopedia | Trend Micro (US)\r\nBy Analysis by: Dianne Lagrimas\r\nArchived: 2026-04-06 00:52:55 UTC\r\nMalware belonging to the SASFIS family are known to be downloaded on systems while visiting sites that have\r\nbeen compromised using a particular exploit pack known as \"Eleonore\". SASFIS variants are also being sent via\r\nspammed messages such as the spoofed messages that purported to come from Facebook and iTunes Store. The\r\nsaid email messages have a .ZIP file attachment that contained TROJ_SASFIS.HN.\r\nIt is also known to be associated with FAKEAV variants that are downloaded onto systems when visiting\r\npornographic sites. Though viewed as a simple downloader, SASFIS opens affected systems to botnet attacks,\r\nparticularly ZeuS and BREDOLAB.\r\nSASFIS have been spotted as early as 2009. Affected systems that may play part in botnet operations, are\r\nsusceptible to data theft, and are difficult to clean up.\r\nCybercriminals behind the SASFIS malware use pay-per-install (PPI) and pay-per-access (PPA) business models\r\nto earn money.\r\nPPI business model: Cybercriminals behind other malware families like ZeuS and BREDOLAB pay\r\nSASFIS creators for other malware to be downloaded and installed on systems that have been infected with\r\nSASFIS.\r\nPPA business model: SASFIS creators list a number of adult websites in the code of the components\r\ndownloaded by SASFIS variants. When a SASFIS-infected system accesses any of these websites, it\r\nredirects to any of the listed adult websites.\r\nInstallation\r\nThis Trojan drops the following files:\r\n%User Profile%\\Local Settings\\{random file name}.exe\r\n(Note: %User Profile% is the current user's profile folder, which is usually C:\\Windows\\Profiles\\{user name} on\r\nWindows 98 and ME, C:\\WINNT\\Profiles\\{user name} on Windows NT, and C:\\Documents and Settings\\{user\r\nname} on Windows 2000, XP, and Server 2003.)\r\nOther System Modifications\r\nThis Trojan modifies the following registry entries:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nWindows NT\\CurrentVersion\\Winlogon\r\nShell = \"Explorer.exe rundll32.exe {4 random letters}.{3 random letters} {6 random letters]}\"\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis\r\nPage 1 of 2\n\n(Note: The default value data of the said registry entry is Explorer.exe.)\r\nIt also creates the following registry entry(ies) as part of its installation routine:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nOffice\\11.0\\Word\\\r\nSecurity\r\nLevel = \"4\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nOffice\\11.0\\Word\\\r\nSecurity\r\nAccessVBOM = \"0\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nSCardSvr = \"%User Profile%\\Local Settings\\{random file name}.exe\"\r\nOther Details\r\nThis Trojan connects to the following possibly malicious URL:\r\nhttp://www.google.com/{BLOCKED}mapandtet\r\nhttp://{BLOCKED}.{BLOCKED}.69.202:443/{5 random letters}.php?id={alphanumeric ID}\r\nhttp://{BLOCKED}.{BLOCKED}.138.100:80/{5 random letters}.php?id={alphanumeric ID}\r\nVariant Information\r\nThis Trojan has the following MD5 hashes:\r\n0280c89e03f255141a7d6fc400cfd51e\r\n4b0eb6b90c8dbeeaf5a870b7cdf77d00\r\nccf8b4c5d8fbcf4f16277f871ecf4197\r\neae86cc58b8ef8ad98b7db4dcf01102f\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis\r\nPage 2 of 2\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Windows NT\\CurrentVersion\\Winlogon     \nShell = \"Explorer.exe rundll32.exe {4 random letters}.{3 random letters} {6 random letters]}\"\n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis"
	],
	"report_names": [
		"sasfis"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438970,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8a4bd6b756f18d222d542f5091e6385dcc1c5ea.pdf",
		"text": "https://archive.orkl.eu/c8a4bd6b756f18d222d542f5091e6385dcc1c5ea.txt",
		"img": "https://archive.orkl.eu/c8a4bd6b756f18d222d542f5091e6385dcc1c5ea.jpg"
	}
}