FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines - Microsoft Security Blog
Tags
cmtmf-attack-pattern: Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Asynchronous Procedure Call - T1055.004 Dll Side-Loading - T1574.002 Exploits - T1587.004 Exploits - T1588.005 Hardware - T1592.001 Kernelcallbacktable - T1574.013 Malware - T1587.001 Malware - T1588.001 Native Api - T1575 Process Injection - T1631 Python - T1059.006 Rundll32 - T1218.011 Software - T1592.002 Windows Service - T1543.003 Tool - T1588.002 Connection Proxy - T1090 Dll Side-Loading - T1073 Execution Through Api - T1106 Process Injection - T1055 Rootkit - T1014 Rundll32 - T1085 Scripting - T1064 Rootkit Scripting
Show in Graph
Common Information
Type Value
UUID 9631f21a-b559-4b64-8036-0b78c3693063
Fingerprint 2610f935edbb0793
Analysis status DONE
Considered CTI value 2
Text language
Published March 1, 2018, 2:37 p.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines
Title FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines - Microsoft Security Blog
Detected Hints/Tags/Attributes 92/3/32
Source URLs
Redirection Url
Details Source https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/
Details Source https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/
URL Provider
Details Provider Source level domain
Details microsoft.com cloudblogs.microsoft.com
Details microsoft.com www.microsoft.com
Attributes
Details Type #Events CTI Value
Details Domain 12 
setup.cab
Details File 533 
ntdll.dll
Details File 748 
kernel32.dll
Details File 229 
advapi32.dll
Details File 89 
version.dll
Details File 8 
d3d9.dll
Details File 6 
aepic.dll
Details File 3 
sspisrv.dll
Details File 37 
userenv.dll
Details File 12 
msvcr90.dll
Details File 1260 
explorer.exe
Details File 212 
winlogon.exe
Details File 12 
setup.cab
Details File 2 
wsecedit.rar
Details File 127 
c:\windows\system32\rundll32.exe
Details File 2 
c:\programdata\auditapp\d3d9.dll
Details File 29 
uxtheme.dll
Details File 4 
printui.exe
Details File 4 
ftllib.dll
Details File 4 
fltlib.dll
Details File 1122 
svchost.exe
Details File 291 
user32.dll
Details File 115 
win32k.sys
Details md5 1 
D0C4DBFA1F3962AED583F6FCE666F8BC
Details md5 1 
3CE30F5FED4C67053379518EACFCF879
Details md5 1 
3D6D62AF1A7C8053DBC8E110A530C679
Details md5 2 
a7b990d5f57b244dd17e9a937a41e7f5
Details sha1 1 
c217d48c4ac1555491348721cc7cfd1143fe0b16
Details sha256 1 
b035ca2d174e5e4fd2d66fd3c8ce4ae5c1e75cf3290af872d1adb2658852afb8
Details Windows Registry Key 15 
HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
Details Windows Registry Key 164 
HKLM\SOFTWARE\Microsoft\Windows
Details Windows Registry Key 1 
HKCU\Software\Microsoft\Windows\Run