{"id":81740,"date":"2018-04-04T08:00:18","date_gmt":"2018-04-04T15:00:18","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=81740"},"modified":"2023-05-15T23:03:40","modified_gmt":"2023-05-16T06:03:40","slug":"hunting-down-dofoil-with-windows-defender-atp","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/","title":{"rendered":"Hunting down Dofoil with Windows Defender ATP"},"content":{"rendered":"

Dofoil<\/a> is a sophisticated threat that attempted to install coin miner malware<\/a> on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV<\/a> protected customers from a massive Dofoil outbreak<\/a> that we traced back to a software update poisoning campaign<\/a> several weeks prior. Notably, customers of Windows 10 S<\/a>, a special Windows 10 configuration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak.<\/p>\n

In this blog post, we will expound on Dofoil\u2019s anti-debugging and anti-analysis tactics, and demonstrate how the rich detection libraries of Windows Defender Advanced Threat Protection<\/a> and Windows Defender Exploit Guard<\/a> can help during investigation.<\/p>\n

We found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual machine environments. It also checks for various analysis tools and kills them right away. This can make malware analysis and assessment challenging.<\/p>\n

The following diagram shows the multi-stage malware execution process, which includes checks for traits of analysis environments during some stages.<\/p>\n

\"\"<\/p>\n

Figure 1. Dofoil multi-stage shellcode and payload execution flow<\/em><\/p>\n

The table below describes the purpose of each stage. The first five stages have at least one or two different techniques that can deter dynamic or static malware analysis.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
STAGES<\/strong><\/th>\nDESCRIPTION<\/strong><\/th>\n<\/tr>\n
1. Obfuscated wrapper code<\/strong><\/td>\nAnti-heuristics<\/p>\n

Anti-emulation<\/td>\n<\/tr>\n

2. Bootstrap module<\/strong><\/td>\nPerforms self-process hollowing to load the next module<\/td>\n<\/tr>\n
3. Anti-debugging module<\/strong><\/td>\nPerforms anti-debugging operation<\/td>\n<\/tr>\n
4. Trojan downloader module<\/strong><\/td>\nPerforms system environment checks<\/p>\n

Performs anti-VM operation<\/p>\n

Injects itself to explorer.exe<\/em> through process hollowing<\/td>\n<\/tr>\n

5. Trojan downloader module in explorer.exe<\/em><\/strong><\/td>\nContacts C&C server to download trojan and run it using process hollowing technique<\/td>\n<\/tr>\n
6. Payload downloader module in explorer.exe<\/em><\/strong><\/td>\nContacts C&C server to download the main payload<\/td>\n<\/tr>\n
7. Trojan module<\/strong><\/td>\nSteals credentials from various application settings and sends stolen into to the C&C server over HTTP channel<\/td>\n<\/tr>\n
8. CoinMiner.D<\/strong><\/td>\nMines digital currencies<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1. Dofoil’s multi-stage modules<\/em><\/p>\n

Initial stages<\/h2>\n

The first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following techniques to avoid analysis and identification.<\/p>\n\n\n\n\n\n\n\n
ANTI-ANALYSIS TECHNIQUES<\/strong><\/th>\nDESCRIPTION<\/th>\n<\/tr>\n
Benign code insertion<\/strong><\/td>\nInserts a huge benign code block to confuse heuristics and manual inspection<\/td>\n<\/tr>\n
Anti-emulation<\/strong><\/td>\nEnumerates an arbitrary registry key (HKEY_CLASSES_ROOT\\Interface\\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}<\/em>) and compares the data with an expected value (DispHTMLCurrentStyle<\/em>) to check if the malware runs inside an emulator<\/td>\n<\/tr>\n
Self-process hollowing<\/strong><\/td>\nUses the process hollowing technique on the current process, making analysis extra difficult due to the altered code mapping<\/td>\n<\/tr>\n
Debugger checks<\/strong><\/td>\nChecks for debuggers, and modifies code to crash. This can add additional layer of confusion to researchers, who are bound to investigate the cause of the crashes. It checks for the PEB.BeingDebugged<\/em> and PEB.NtGlobalFlag<\/em> fields in the PEB structure. For example, PEB.BeingDebugged<\/em> is set to 1<\/em> and PEB.NtGlobalFlag<\/em> is set to FLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK| FLG_HEAP_VALIDATE_PARAMETERS<\/em> when a debugger is attached to the process.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 2. Anti-analysis techniques\u00a0<\/em><\/p>\n

The first stage contains some benign-looking code before the actual malicious code. This can give the executable a harmless appearance. It can also make the emulation of the code difficult because emulating various API calls that are not present in many malware codes can be challenging.<\/p>\n

The first-stage code also performs a registry key enumeration to make sure it has the expected value. When all checks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main module\u2019s memory, and then decodes the third-stage shellcode into that memory \u2013 this is known as a self-process hollowing<\/a> technique.<\/p>\n

\"\"<\/p>\n

Figure 2. Self-modification based on PEB.BeingDebugged<\/em> value<\/p>\n

Windows Defender ATP\u2019s process tree can help with investigation by exposing these anti-debugging techniques.<\/p>\n

\"\"<\/p>\n

Figure 3. Windows Defender ATP process tree showing anti-debugging techniques<\/em><\/p>\n

Trojan downloader module<\/h2>\n

The trojan downloader module performs various environment checks, including virtual environment and analysis tool checks, before downloading the payload.<\/p>\n\n\n\n\n\n\n\n\n\n
ANTI-ANALYSIS TECHNIQUES<\/span><\/b><\/th>\nDESCRIPTION<\/th>\n<\/tr>\n
Check module name<\/strong><\/td>\nChecks if the main executable name contains the string “sample”<\/td>\n<\/tr>\n
Check volume serial<\/strong><\/td>\nChecks if current volume serial number is 0xCD1A40<\/em> or 0x70144646<\/em><\/td>\n<\/tr>\n
Check modules<\/strong><\/td>\nChecks the presence of DLLs related to debuggers<\/td>\n<\/tr>\n
Check disk-related registry keys<\/strong><\/td>\nChecks the value of the registry key HKLM\\System\\CurrentControlSet\\Services\\Disk\\Enum<\/em> against well-known disk name patterns for virtual machines (qemu<\/em>, virtual<\/em>, vmware<\/em>, xen<\/em>, ffffcce24<\/em>)<\/td>\n<\/tr>\n
Process check<\/strong><\/td>\nChecks running processes and kills those with processes names associated with analysis tools (procexp.exe<\/em>, procexp64.exe<\/em>, procmon.exe<\/em>, procmon64.exe<\/em>, tcpview.exe<\/em>, wireshark.exe<\/em>, processhacker.exe<\/em>, ollydbg.exe<\/em>, idaq.exe<\/em>, x32dbg.exe<\/em>)<\/td>\n<\/tr>\n
Windows class name check<\/strong><\/td>\nChecks the current Windows class names and exits when some well-known names are found (Autoruns<\/em>, PROCEXPL<\/em>, PROCMON_WINDOW_CLASS<\/em>, TCPViewClass<\/em>, ProcessHacker<\/em>, OllyDbg<\/em>, WinDbgFrameClass<\/em>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 3. Anti-analysis technique\u00a0of Dofoil’s trojan downloader module<\/span><\/i><\/em><\/p>\n

The list of target process names and Windows class names exist in custom checksum form. The checksum algorithm looks like the following:<\/p>\n

\"\"<\/p>\n

Figure 4. Shift and XOR custom checksum algorithm<\/em><\/p>\n

The purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it detects, making analysis more time-consuming.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
STRING<\/th>\nCHECKSUM<\/strong><\/th>\n<\/tr>\n
Autoruns<\/strong><\/td>\n0x0E5C1C5D<\/td>\n<\/tr>\n
PROCEXPL<\/strong><\/td>\n0x1D421B41<\/td>\n<\/tr>\n
PROCMON_WINDOW_CLASS<\/strong><\/td>\n0x4B0C105A<\/td>\n<\/tr>\n
TCPViewClass<\/strong><\/td>\n0x1D4F5C43<\/td>\n<\/tr>\n
ProcessHacker<\/strong><\/td>\n0x571A415E<\/td>\n<\/tr>\n
OllyDbg<\/strong><\/td>\n0x4108161D<\/td>\n<\/tr>\n
WinDbgFrameClass <\/strong><\/td>\n0x054E1905<\/td>\n<\/tr>\n
procexp.exe <\/strong><\/td>\n0x19195C02<\/td>\n<\/tr>\n
procexp64.exe <\/strong><\/td>\n0x1C0E041D<\/td>\n<\/tr>\n
procmon.exe <\/strong><\/td>\n0x06185D0B<\/td>\n<\/tr>\n
procmon64.exe <\/strong><\/td>\n0x1D07120A<\/td>\n<\/tr>\n
tcpview.exe <\/strong><\/td>\n0x060B5118<\/td>\n<\/tr>\n
wireshark.exe <\/strong><\/td>\n0x550E1E0D<\/td>\n<\/tr>\n
processhacker.exe <\/strong><\/td>\n0x51565C47<\/td>\n<\/tr>\n
ollydbg.exe <\/strong><\/td>\n0x04114C14<\/td>\n<\/tr>\n
x32dbg.exe <\/strong><\/td>\n0x5F4E5C04<\/td>\n<\/tr>\n
idaq.exe <\/strong><\/td>\n0x14585A12<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 4. String checksum table used for process names and Windows class names<\/em><\/p>\n

Process hollowing<\/h2>\n

Dofoil heavily uses the process hollowing<\/a> technique. Its main target for process hollowing is explorer.exe. The Dofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the entry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread<\/em> API, but can still achieve code injection.<\/p>\n

\"\"<\/p>\n

Figure 5. Modification of <\/em>explorer.exe entry point code<\/em><\/p>\n

Windows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following process tree shows that the malware injects itself into explorer.exe using the process hollowing technique.<\/p>\n

\"\"<\/p>\n

Figure 6. Windows Defender ATP alert process tree showing the first process hollowing<\/em><\/p>\n

When the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into using process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the malicious actions, eliminating the need for guessing what these newly spawned Windows system processes are doing.<\/p>\n

\"\"<\/p>\n

Figure 7. Windows Defender ATP alert process tree showing the second process hollowing<\/em><\/p>\n

The process hollowing behavior can be detected through Exploit protection<\/a> in Windows Defender Exploit Guard. This can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection happens when the shellcode goes through the export addresses of the modules to find the export address of the LoadLibraryA and GetProcAddress functions.<\/p>\n

\"\"<\/p>\n

Figure 8. Export Address Filter (EAF) event exposed in Event viewer<\/em><\/p>\n

Windows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal:<\/p>\n

\"\"<\/p>\n

Figure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event<\/em><\/p>\n

Adding Windows Defender Exploit Guard EAF audit\/block policy to common system processes like explorer.exe, cmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques commonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we recommend testing Windows Defender Exploit Guard with audit mode enabled before enforcement.<\/p>\n

Command-and-control (C&C) and NameCoin domains<\/h2>\n

Dofoil\u2019s C&C connection is very cautious. The trojan code first tries to connect to well-known web pages and verifies that the malware has proper and real Internet connection, not simulated as in test environments. After it makes sure it has a real Internet connection, the malware makes HTTP connections to the actual C&C servers.<\/p>\n

\"\"<\/p>\n

Figure 10. Access to known servers to confirm Internet connectivity<\/em><\/p>\n

The malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that provides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use specific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because NameCoin uses blockchain technology, you can query the history of the domain name changes through blocks.<\/p>\n

\"\"<\/p>\n

Figure 11. Malicious hostname DNS entry changes over time (https:\/\/namecha.in\/name\/d\/vrubl<\/a>)<\/em><\/p>\n

Windows Defender ATP can provide visibility into the malware\u2019s network activities. The following alert process tree shows the malware\u2019s .bit domain resolution activity and, after that, the connections to the resolved C&C servers. You can also view other activities from the executable, for example, its connections to other servers using SMTP ports.<\/p>\n

\"\"<\/p>\n

Figure 12. Windows Defender ATP alert process tree showing C&C server connection through NameCoin server name resolution<\/em><\/p>\n

The Windows Defender ATP advanced hunting<\/a> feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. For example, the following advanced hunting query finds recent connections to Dofoil C&C servers<\/a> from your network. This can lead to extra insights on other threats that use the same NameCoin servers.<\/p>\n

\"\"<\/p>\n

Figure 13. Advanced hunting for other threats using the same NameCoin servers<\/em><\/p>\n

The purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central authorities on the NameCoin domain name records, it is not possible for the authorities to change the domain record. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full shutdown of those servers very difficult.<\/p>\n

Conclusion<\/h2>\n

Dofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to make sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis time-consuming and can mislead malware analysis systems.<\/p>\n

In attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP<\/a>) can help network defenders analyze the timeline from the victim machine and get rich information on process execution flow, C&C connections, and process hollowing activities. With the new advanced hunting capabilities<\/a> in preview, you can run powerful custom queries<\/a> and pivot freely to different sets of possible targets, malicious entities, and suspicious activity. Windows Defender ATP can also be used as an analysis platform with fine-tuned visibility into system activities when set up in a lab environment. This can save time and resource during malware investigation.<\/p>\n

In addition, Windows Defender Exploit Guard<\/a> can be useful in finding malicious shellcodes that traverse export address tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and exploit activities.<\/p>\n

Windows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates protections from other Microsoft solutions, including Windows Defender AV<\/a> and Windows Defender Application Guard<\/a>. This integrated security management experience makes Windows Defender ATP a comprehensive solution for detecting and responding to a wide range of malicious activities across the network.<\/p>\n

Windows 10 S<\/a>, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by working exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common malware entry points.<\/p>\n

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial<\/a><\/strong>.<\/p>\n

Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich<\/em>
\nWindows Defender ATP Research<\/em><\/strong><\/p>\n

Indicators of compromise (IoCs)<\/h2>\n

TrojanDownloader:Win32\/Dofoil.AB:<\/strong><\/p>\n

d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d<\/p>\n

eaa63f6b500afedcaeb8d5b18a08fd6c7d95695ea7961834b974e2a653a42212<\/p>\n

cded7aedca6b54a6d4273153864a25ccad35cba5cafeaec828a6ad5670a5973a<\/p>\n

Trojan:Win32\/Dofoil.AB:<\/strong><\/p>\n

070243ad7fb4b3c241741e564039c80ca65bfdf15daa4add70d5c5a3ed79cd5c<\/p>\n

5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299C<\/p>\n

28ce9763a808c4a7509e9bf92d9ca80212a241dfa1aecd82caedf1f101eac692<\/p>\n

5d7875abbbf104f665a0ee909c372e1319c5157dfc171e64ac2bc8b71766537f<\/p>\n

Trojan:Win32\/CoinMiner.D<\/strong><\/p>\n

2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12<\/p>\n

C&C URLs:<\/strong><\/p>\n

hxxp:\/\/levashov.bit\/15022018\/<\/p>\n

hxxp:\/\/vrubl.bit\/15022018\/<\/p>\n

C&C server:<\/strong><\/p>\n

vinik.bit<\/p>\n

Related .bit domains (updated in same block as C&C server):<\/strong><\/p>\n

henkel.bit<\/p>\n

makron.bit<\/p>\n

makronwin.bit<\/p>\n

NameCoin servers used by Dofoil:<\/strong><\/p>\n

139.59.208.246<\/p>\n

130.255.73.90<\/p>\n

31.3.135.232<\/p>\n

52.174.55.168<\/p>\n

185.121.177.177<\/p>\n

185.121.177.53<\/p>\n

62.113.203.55<\/p>\n

144.76.133.38<\/p>\n

169.239.202.202<\/p>\n

5.135.183.146<\/p>\n

142.0.68.13<\/p>\n

103.253.12.18<\/p>\n

62.112.8.85<\/p>\n

69.164.196.21<\/p>\n

107.150.40.234<\/p>\n

162.211.64.20<\/p>\n

217.12.210.54<\/p>\n

89.18.27.34<\/p>\n

193.183.98.154<\/p>\n

51.255.167.0<\/p>\n

91.121.155.13<\/p>\n

87.98.175.85<\/p>\n

185.97.7.7<\/p>\n

\"\"<\/a><\/p>\n

\n

Talk to us<\/strong><\/h4>\n

Questions, concerns, or insights on this story? Join discussions at the Microsoft community<\/a> and Windows Defender Security Intelligence<\/a>.<\/p>\n

Follow us on Twitter @WDSecurity<\/a> and Facebook Windows Defender Security Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several […]<\/p>\n","protected":false},"author":61,"featured_media":81746,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[3690,3694],"threat-intelligence":[3727],"tags":[],"coauthors":[1968],"class_list":["post-81740","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","products-microsoft-defender","products-microsoft-defender-for-endpoint","threat-intelligence-attacker-techniques-tools-and-infrastructure"],"yoast_head":"\nHunting down Dofoil with Windows Defender ATP | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hunting down Dofoil with Windows Defender ATP | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-04-04T15:00:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T06:03:40+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1360\" \/>\n\t<meta property=\"og:image:height\" content=\"819\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Hunting down Dofoil with Windows Defender ATP\",\"datePublished\":\"2018-04-04T15:00:18+00:00\",\"dateModified\":\"2023-05-16T06:03:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\"},\"wordCount\":2164,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\",\"name\":\"Hunting down Dofoil with Windows Defender ATP | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png\",\"datePublished\":\"2018-04-04T15:00:18+00:00\",\"dateModified\":\"2023-05-16T06:03:40+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png\",\"width\":1360,\"height\":819},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hunting down Dofoil with Windows Defender ATP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hunting down Dofoil with Windows Defender ATP | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/","og_locale":"en_US","og_type":"article","og_title":"Hunting down Dofoil with Windows Defender ATP | Microsoft Security Blog","og_description":"Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several […]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/","og_site_name":"Microsoft Security Blog","article_published_time":"2018-04-04T15:00:18+00:00","article_modified_time":"2023-05-16T06:03:40+00:00","og_image":[{"width":1360,"height":819,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Hunting down Dofoil with Windows Defender ATP","datePublished":"2018-04-04T15:00:18+00:00","dateModified":"2023-05-16T06:03:40+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/"},"wordCount":2164,"commentCount":0,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/","name":"Hunting down Dofoil with Windows Defender ATP | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png","datePublished":"2018-04-04T15:00:18+00:00","dateModified":"2023-05-16T06:03:40+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/01-dofoil-multi-stage-execution-flow.png","width":1360,"height":819},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Hunting down Dofoil with Windows Defender ATP"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/81740"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=81740"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/81740\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/81746"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=81740"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=81740"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=81740"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=81740"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=81740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=81740"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=81740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}