Virus Bulletin :: Shifu – the rise of a self-destructive banking trojan
Tags
cmtmf-attack-pattern: Code Injection
country: Italy Japan Russia
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Botnet - T1583.005 Botnet - T1584.005 Code Injection - T1540 Control Panel - T1218.002 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Hooking - T1617 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Python - T1059.006 Remote Desktop Protocol - T1021.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vnc - T1021.005 Browser Extensions - T1176 Hooking - T1179 Remote Desktop Protocol - T1076 Hooking
Show in Graph
Common Information
Type Value
UUID ca64c83f-5df9-4d91-9f1a-21ea71fd5278
Fingerprint df982d35ad2725d3
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 2, 2015, midnight
Added to db Sept. 26, 2022, 9:31 a.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline Shifu – the rise of a self-destructive banking trojan
Title Virus Bulletin :: Shifu – the rise of a self-destructive banking trojan
Detected Hints/Tags/Attributes 110/4/49
Source URLs
Redirection Url
Details Source https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan
URL Provider
Details Provider Source level domain
Details virusbulletin.com www.virusbulletin.com
Attributes
Details Type #Events CTI Value
Details CVE 5 
cve-2015-0003
Details Domain 707 
google.com
Details Domain 2 
www1.google.com
Details Domain 369 
microsoft.com
Details Domain 40 
dropbox.com
Details Domain 1373 
twitter.com
Details Domain 29 
sendspace.com
Details Domain 4 
etrade.com
Details Domain 330 
facebook.com
Details Domain 91 
instagram.com
Details Domain 4128 
github.com
Details Domain 51 
icloud.com
Details Domain 17 
python.org
Details Domain 14 
blogs.mcafee.com
Details Domain 88 
securityintelligence.com
Details File 1260 
explorer.exe
Details File 1122 
svchost.exe
Details File 30 
vmwareuser.exe
Details File 28 
vmwaretray.exe
Details File 42 
vboxservice.exe
Details File 44 
vboxtray.exe
Details File 71 
wireshark.exe
Details File 74 
procmon.exe
Details File 64 
procexp.exe
Details File 6 
fortitracer.exe
Details File 40 
ollydbg.exe
Details File 65 
python.exe
Details File 13 
sysanalyzer.exe
Details File 11 
sniff_hit.exe
Details File 19 
joeboxserver.exe
Details File 19 
joeboxcontrol.exe
Details File 2 
randomhexavalue_cert.pfx
Details File 3 
userlogin.php
Details File 2 
userpanel.php
Details File 31 
users.php
Details File 49 
config.xml
Details File 71 
nss3.dll
Details File 25 
nspr4.dll
Details File 1 
shifu_fix_iat.py
Details md5 1 
E60F72FFA76386079F2645BE2ED84E53
Details sha1 1 
963bfc778f94fe190fdd1dd66284e9bc9dd2bed6
Details sha1 1 
16e4476146511f6b9d8ddf4b232d896d7ec91f50
Details sha1 1 
b4ed692d6e8c35f3c611084e6785972ccae8dcdc
Details sha1 1 
8fc58220fd84f3a59f20d52f4a07f07657474467
Details IPv4 1441 
127.0.0.1
Details Url 1 
https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/.
Details Url 1 
https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/.
Details Windows Registry Key 22 
HKCU\Software\Microsoft\Internet
Details Windows Registry Key 5 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet