Managed XDR

iot_driver (Jeefo) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: iot_driver
Тип файла: PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла: 6.4 MB
Первое обнаружение: 2025-09-19 17:09
Последнее обнаружение: 2025-09-19 17:09

Окружение

win7/x86 en

Хеши

SHA1: 1f068c497a7ccdfe3f36bf48b1f74795e303d4c1
SHA256: 8c7e77607d730c37268e0c7690c2fb8ec644b70faecfdc153171c6ee758e14b2
MD5: 383680daa27ff6234f0712d0f026f14c

Вредоносное ПО

Jeefo

Сигнатуры

Execution

T1569.002 persistence_service: Starts newly created service

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1543.003 creates_service: Creates a service, that will start automatically

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antisandbox_check_temperature: Uses WMI to detect CPU temperature or fan speed

T1036 system_filename: Created a file named as a common system file

T1036 system_procname: Created a process named as a common system process

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1003.001 dumps_lsass: Dumps lsass.exe process (probably, to extract credentials)

Discovery

T1497.001 antisandbox_check_temperature: Uses WMI to detect CPU temperature or fan speed

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules

creates_exe: Creates executable files in the file system

creates_in_windows: Creates files in the Windows directory

jeefo_mutexes: Jeefo Virus indicators detected (mutexes)

network_bind: Starts servers listening at 127.0.0.1:3814

suspicious_process: Spawns a suspicious process

test_check_service: Starts services

pe_overlay: PE file contains overlay

open_winlogon_process: Trying to open winlogon process

suricata_alert: Malicious traffic detected