user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Win64/Farfli
Backdoor:Win64/Farfli - Windows Defender threat signature analysis

Backdoor:Win64/Farfli - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Win64/Farfli
Classification:
Type:Backdoor
Platform:Win64
Family:Farfli
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for 64-bit Windows platform, family Farfli

Summary:

Backdoor:Win64/Farfli is a sophisticated 64-bit backdoor that gains kernel-level access to the system, establishes persistence through registry modifications and services, and communicates with a command-and-control server at `.farfly.org`. It exhibits anti-analysis capabilities, masquerades as legitimate processes, and can download/execute additional payloads while attempting to hide its presence on the system.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - KeServiceDescriptorTable (PEHSTR_EXT)
 - KeDelayExecutionThread (PEHSTR_EXT)
 - ntoskrnl.exe (PEHSTR_EXT)
 - .farfly.org/tj/ (PEHSTR_EXT)
 - SOFTWARE\Microsoft\IE4\ (PEHSTR_EXT)
 - .txt? (PEHSTR_EXT)
 - \\.\Global\ClanAvb (PEHSTR_EXT)
 - !attrib "C:\myapp.exe" -r -a -s -h (PEHSTR)
 - KeServiceDescriptorTable (PEHSTR)
 - 360TraY.exe (PEHSTR)
 - soul*exe (PEHSTR)
 - Dsoftware\Microsoft\Windows\CurrentVersion\exploRER\ShellexecuteHooks (PEHSTR)
 - Ravmond.exe (PEHSTR)
 - avp.exe (PEHSTR)
 - WinExec (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\explorER\ShellExecuteHooks (PEHSTR_EXT)
 - IofCompleteRequest (PEHSTR_EXT)
 - \systemroot\system32\%s (PEHSTR_EXT)
 - PsCreateSystemThread (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - h.data (PEHSTR_EXT)
 - .reloc (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - shell\open\command (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Services\%s (PEHSTR_EXT)
 - ServiceDll (PEHSTR_EXT)
 - System32\svchost.exe -k netsvcs (PEHSTR_EXT)
 - Global\Gh0st (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Services\BITS (PEHSTR_EXT)
 - \\.\MINISAFEDOS (PEHSTR_EXT)
 - SOFTWARE\KasperskyLab\WmiHlp\{2C4D4BC6-0793-4956-A9F9-E252435469C0} (PEHSTR_EXT)
 - s%\secivreS\teSlortnoCtnerruC\METSYS (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR_EXT)
 - %SystemRoot%\System32\svchost.exe -k netsvcs (PEHSTR_EXT)
 - Net-Temp.ini (PEHSTR_EXT)
 - c:\NT_Path.old (PEHSTR_EXT)
 - \syslog.dat (PEHSTR_EXT)
 - %swindows\xinstall%d.dll (PEHSTR_EXT)
 - c:\Win_lj.ini (PEHSTR_EXT)
 - ConneCtIOns\pbk\raSPHONE.pbk (PEHSTR_EXT)
 - \user.dat (PEHSTR_EXT)
 -  \cmd.exe (PEHSTR_EXT)
 - %s\Parameters (PEHSTR_EXT)
 - wow.exe (PEHSTR_EXT)
 - tw2.exe (PEHSTR_EXT)
 - <H1>403 Forbidden</H1> (PEHSTR_EXT)
 - ttp://127.0.0.1:8888/ip.txt (PEHSTR_EXT)
 - [C.a.p.s.L.o.c.k.] (PEHSTR_EXT)
 - \Startup\hao567.exe (PEHSTR_EXT)
 - COMMAND_UNPACK_RAR reve (PEHSTR_EXT)
 - lla/4.0 (TOKEZ) (PEHSTR_EXT)
 - \esent.dll (PEHSTR_EXT)
 - %s\wi%dnd.temp (PEHSTR_EXT)
 - 1\Run","Update",,"rundll32.exe "" (PEHSTR_EXT)
 - C:\FW.FW (PEHSTR_EXT)
 - %s%s*.* (PEHSTR_EXT)
 - lla/4.0 (compatible) (PEHSTR_EXT)
 - %s\shell\open\command (PEHSTR_EXT)
 - http://hh.rooter.tk/ytj/ytj.exe (PEHSTR_EXT)
 - \\.\agmkis2 (PEHSTR_EXT)
 - Http/1.1 403 ForbiddeN (PEHSTR_EXT)
 - %s\%s\dat\%d%d (PEHSTR_EXT)
 - %s\%sex.dll (PEHSTR_EXT)
 - .f3322.org:65500/Consys (PEHSTR_EXT)
 - 0-9.dll (PEHSTR_EXT)
 - 202.107.204.209:65500/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - C:\Program Files\AppPatch\mysqld.dll (PEHSTR_EXT)
 - TCPConnectFloodThread.target (PEHSTR_EXT)
 - http://119.249.54.113/ (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\CentralProcessor\0 (PEHSTR_EXT)
 - lyb/log.html? (PEHSTR_EXT)
 - 360Safe.exe (PEHSTR_EXT)
 - \Fonts\service.exe (PEHSTR_EXT)
 - KSafeTray.exe (PEHSTR_EXT)
 - 360tray.exe (PEHSTR_EXT)
 - /c del /q %s (PEHSTR_EXT)
 - InjectDLL.dll (PEHSTR_EXT)
 - System%c%c%c.exe (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Applications\iexplore.exe\shell\open\command (PEHSTR_EXT)
 - kinh.xmcxmr.com (PEHSTR_EXT)
 - \xhjmjj.dat (PEHSTR_EXT)
 - %SystemRoot%\System32\svchost.exe -k sougou (PEHSTR_EXT)
 - wldlog.dll (PEHSTR_EXT)
 - softWARE\Microsoft\Windows NT\CurrentVersion\SvcHost (PEHSTR_EXT)
 - SVP7.PNG (PEHSTR_EXT)
 - users.qzone.qq.com (PEHSTR_EXT)
 - cgi_get_portrait.fcg (PEHSTR_EXT)
 - c:\windows\blackcat1.log (PEHSTR_EXT)
 - C:\INTERNAL\REMOTE.EXE (PEHSTR_EXT)
 -  in DOS mode. (PEHSTR_EXT)
 - InitCommonControls (PEHSTR_EXT)
 - jesso.3322.org (PEHSTR_EXT)
 - c:\Windows\%s%d.exe (PEHSTR_EXT)
 - c:\Windows\BJ.exe (PEHSTR_EXT)
 - http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg? (PEHSTR_EXT)
 - DUB.exe (PEHSTR_EXT)
 - S.exe (PEHSTR_EXT)
 - YY.exe (PEHSTR_EXT)
 - V3Svc.exe (PEHSTR_EXT)
 - skybluehacker@yahoo.com.cn (PEHSTR_EXT)
 - anonymous@123.com (PEHSTR_EXT)
 - \shell\open\command (PEHSTR_EXT)
 - GetScrollPos (PEHSTR_EXT)
 - Debug\Eidolon.exe (PEHSTR_EXT)
 - www.xy999.com (PEHSTR_EXT)
 - Eidolon.ini (PEHSTR_EXT)
 - NisSrv.exe (PEHSTR_EXT)
 - %s\%s.exe (PEHSTR_EXT)
 - UnThreat.exe (PEHSTR_EXT)
 - ad-watch.exe (PEHSTR_EXT)
 - avcenter.exe (PEHSTR_EXT)
 - knsdtray.exe (PEHSTR_EXT)
 - C:Windows88.exe (PEHSTR_EXT)
 - 203.160.54.250/9 (PEHSTR_EXT)
 - File created successfully. (PEHSTR_EXT)
 - C:\%ssvchast.exe (PEHSTR_EXT)
 - .symtab (PEHSTR_EXT)
 - ScreenToClient (PEHSTR_EXT)
 - */y6n (SNID)
 - :\Windows\DNomb\Mpec.mbt (PEHSTR_EXT)
 - ://whtty.oss-cn-hongkong.aliyuncs.com (PEHSTR_EXT)
 - cmd.exe /c del (PEHSTR_EXT)
 - haidishijie.3322.org (PEHSTR_EXT)
 - unknown compression method (PEHSTR_EXT)
 - c:\%s.exe (PEHSTR_EXT)
 - http://192.168.100.83 (PEHSTR_EXT)
 - http://www.1.com (PEHSTR_EXT)
 - DatePickerDemo.EXE (PEHSTR_EXT)
 - MFCApplication1.AppID.NoVersion (PEHSTR_EXT)
 - Users\MRK (PEHSTR_EXT)
 - MFCApplication1.pdb (PEHSTR_EXT)
 - Consys21.dll (PEHSTR_EXT)
 - http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins (PEHSTR_EXT)
 - Server\Debug\DHL2012.pdb (PEHSTR_EXT)
 - ResSkin.exe (PEHSTR_EXT)
 - Server.Dat (PEHSTR_EXT)
 - Speed.exe (PEHSTR_EXT)
 - 111.cf599.com (PEHSTR_EXT)
 - C:\WINDOWS\SYSTEM32\explor.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\documents and settings\ All users\start menu\programs\start up\explor.exe (PEHSTR_EXT)
 - 192.168.1.244 (PEHSTR_EXT)
 - c:\Program Files\NT_Path.gif (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
 - sfwu.3322.org (PEHSTR_EXT)
 - Scroll (PEHSTR_EXT)
 - SOFTWARE\Classes\.386 (PEHSTR_EXT)
 - C:\ProgramData\rundll3222.exe (PEHSTR_EXT)
 - http://107.151.94.70 (PEHSTR_EXT)
 - C:\ProgramData\svchost.txt (PEHSTR_EXT)
 - ojbkcg.exe (PEHSTR_EXT)
 - e:\vs\lujk\Release\lujk.pdb (PEHSTR_EXT)
 - http://194.146.84.243:4397/77 (PEHSTR_EXT)
 - \rundll3222.exe (PEHSTR_EXT)
 - \svchost.txt (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - L/Z0e (PEHSTR_EXT)
 - /Bfb7AvC (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - .boot (PEHSTR_EXT)
 - TelegramDll.dll (PEHSTR_EXT)
 - /dumpstatus (PEHSTR_EXT)
 - /checkprotection (PEHSTR_EXT)
 - /forcerun (PEHSTR_EXT)
 - DllUpdate (PEHSTR_EXT)
 - maindll.dll (PEHSTR_EXT)
 - @.themida (PEHSTR_EXT)
 - 156.234.65 (PEHSTR_EXT)
 - \Documents\svchost.txt (PEHSTR_EXT)
 - \Documents\1.rar (PEHSTR_EXT)
 - \Documents\jdi.lnk (PEHSTR_EXT)
 - \Release\sdasdasd.pdb (PEHSTR_EXT)
 - Public\Documents\7z.exe (PEHSTR_EXT)
 - C:\ProgramData\7z.exe (PEHSTR_EXT)
 - .vLncpy0 (PEHSTR_EXT)
 - .vLncpy1 (PEHSTR_EXT)
 - c ping 127.0.0.1 -n 1 && del /f/q  (PEHSTR_EXT)
 - post.f2pool.info (PEHSTR_EXT)
 - MainDll.dll (PEHSTR_EXT)
 - WINDOWS\system32\BRemotes.exe (PEHSTR_EXT)
 - user.qzone.qq.com (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v BATCOM (PEHSTR_EXT)
 - RECYLLE.BIN\TorchWooc (PEHSTR_EXT)
 - ChromeSecsv7%d7.exe (PEHSTR_EXT)
 - Program Files\Common Files\scvhost.exe (PEHSTR_EXT)
 - cmd /C  regedit /s Uac.reg (PEHSTR_EXT)
 - CcMainDll.dll (PEHSTR_EXT)
 - svchsot.exe (PEHSTR_EXT)
 - host123.zz.am (PEHSTR_EXT)
 - main.php (PEHSTR_EXT)
 - %s.exe (PEHSTR_EXT)
 - termsrvhack.dll (PEHSTR_EXT)
 - taskkill /f /im cmd.exe (PEHSTR_EXT)
 - .rotext (PEHSTR_EXT)
 - .rodata (PEHSTR_EXT)
 - C:/Users/Public/Documents/Powermonster.exe (PEHSTR_EXT)
 - C:/Users/Public/Documents/unzip.exe (PEHSTR_EXT)
 - benson.pdb (PEHSTR_EXT)
 - C:\input.txt (PEHSTR_EXT)
 - 360\360Safe\SB360.exe (PEHSTR_EXT)
 - baidu.com (PEHSTR_EXT)
 - Sbrjar Kbskb (PEHSTR_EXT)
 - Jbrja.exe (PEHSTR_EXT)
 - tatusbar.bmp (PEHSTR_EXT)
 - 7zz.exe (PEHSTR_EXT)
 - \ProgramData\360.dll (PEHSTR_EXT)
 - ProgramData\rundll3222.exe (PEHSTR_EXT)
 - \ProgramData\svchost.txt (PEHSTR_EXT)
 - www.appspeed.com (PEHSTR_EXT)
 - AADz6AABBY/zxuDQzOXS4daPANLh5cbQ0q8 (PEHSTR_EXT)
 - kuge3907@sina.com (PEHSTR_EXT)
 - C:\myself.dll (PEHSTR_EXT)
 - Control_RunDLLW (PEHSTR_EXT)
 - HlMain.dll (PEHSTR_EXT)
 - \Program Files\%d%D.COM (PEHSTR_EXT)
 - sjaklej4ijalkbnlksjlksjkg.exe (PEHSTR_EXT)
 - [Scroll Lock] (PEHSTR_EXT)
 - lld.23ipavda (PEHSTR_EXT)
 - [Print Screen] (PEHSTR_EXT)
 - gitee.com//standar//plug-in-2//raw/master//Sen (PEHSTR_EXT)
 - hloworld.cn (PEHSTR_EXT)
 - Program Files\Common Files\scvh0st.exe (PEHSTR_EXT)
 - admind.f3322.net (PEHSTR_EXT)
 - cmd.exe /c ping 127.0.0.1 (PEHSTR_EXT)
 - www.jinjin.com (PEHSTR_EXT)
 - C:\Program Files\Common Files\scvh0st.exe (PEHSTR_EXT)
 - [Execute] (PEHSTR_EXT)
 - C:\ProgramData\1.txt (PEHSTR_EXT)
 - 103.59.103.16/SHELL.txt (PEHSTR_EXT)
 - s\dllcache\sethc.exe (PEHSTR_EXT)
 - s\dllcache\osk.exe (PEHSTR_EXT)
 - s\dllcache\magnify.exe (PEHSTR_EXT)
 - SystemRoot%\system32\termsrvhack.dll (PEHSTR_EXT)
 - Program Files\Ru%d.EXE (PEHSTR_EXT)
 - vmps1 (PEHSTR_EXT)
 - cmd.exe /c ping 127.0.0.1 -n 2&%s (PEHSTR_EXT)
 - [PRINT_SCREEN] (PEHSTR_EXT)
 - [EXECUTE_key] (PEHSTR_EXT)
 - c:\wiseman.exe (PEHSTR_EXT)
 - AlibabaisSB\mian.exe (PEHSTR_EXT)
 - ://43.142.187.203/ (PEHSTR_EXT)
 - www.testzake.com (PEHSTR_EXT)
 - C:\TEMP\syslog (PEHSTR_EXT)
 - baobeier\Dll1\Release\Dll1.pdb (PEHSTR_EXT)
 - Users\Public\Documents\\IBoxHelper.dll (PEHSTR_EXT)
 - s\%sair.dll (PEHSTR_EXT)
 - C:\syslog.dat (PEHSTR_EXT)
 - \A2\Release\A2.pdb (PEHSTR_EXT)
 - C://ProgramData//zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (PEHSTR_EXT)
 - mod_s0beit.dll (PEHSTR_EXT)
 - .sedata (PEHSTR_EXT)
 - 211.152.147.97/bbs (PEHSTR_EXT)
 - www.sarahclub.com (PEHSTR_EXT)
 - c:\WinRecel\air.dll (PEHSTR_EXT)
 - .vmps0 (PEHSTR_EXT)
 - .vmps1 (PEHSTR_EXT)
 - 1.exe (PEHSTR_EXT)
 - note.youdao.com/yws/public/resource (PEHSTR_EXT)
 - c%c%c%c%c%c.exe (PEHSTR_EXT)
 - xui.ptlogin2.qq.com (PEHSTR_EXT)
 - %s.dmp (PEHSTR_EXT)
 - @shift /0 (PEHSTR_EXT)
 - Melody.dat (PEHSTR_EXT)
 - ShellExecuteExA (PEHSTR_EXT)
 - 103.163.47.247 (PEHSTR_EXT)
 - ProgramData//H (PEHSTR_EXT)
 - AA1\Release\AA1.pdb (PEHSTR_EXT)
 - https://note.youdao.com/yws/public/resource/d443b2f84ff00a25620bd5562b07a800/xmlnote (PEHSTR_EXT)
 - programB.exe (PEHSTR_EXT)
 - 47.242.89.34 (PEHSTR_EXT)
 - F-PROT.exe (PEHSTR_EXT)
 - avgaurd.exe (PEHSTR_EXT)
 - spidernt.exe (PEHSTR_EXT)
 - TrojanHunter.exe (PEHSTR_EXT)
 - QUHLPSVC.EXE (PEHSTR_EXT)
 - CppBackdoor\Loader\Release\Loader.pdb (PEHSTR_EXT)
 - ewteam.e2.luyouxia.net (PEHSTR_EXT)
 - guduo.xyz (PEHSTR_EXT)
 - 115.28.72.212:5760/850lobby.exe (PEHSTR_EXT)
 - batiya.exe (PEHSTR_EXT)
 - ProgramData\homo\2.exe (PEHSTR_EXT)
 - 154.39.239.202 (PEHSTR_EXT)
 - tock.exe (PEHSTR_EXT)
 - test.exe (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - C:\Users\Public\565.zip (PEHSTR_EXT)
 - 123.55.89.88 (PEHSTR_EXT)
 - C:\Users\Public\555.zip (PEHSTR_EXT)
 - Software\Microsoft\Plus!\Themes\Current (PEHSTR_EXT)
 - tg://setlanguage? (PEHSTR_EXT)
 - imgcache.vip033324.xyz (PEHSTR_EXT)
 - 87.251.txt (PEHSTR_EXT)
 - pdate360.dat (PEHSTR_EXT)
 - C:\ProgramData\ThunderUpdate (PEHSTR_EXT)
 - hdietrich2@hotmail.com (PEHSTR_EXT)
 - C:\2.txt (PEHSTR_EXT)
 - C:\Windows\Temp\hankjin.temp.%d (PEHSTR_EXT)
 - Startup\hao567.exe (PEHSTR_EXT)
 - 103.100.210.9 (PEHSTR_EXT)
 - 154.211.13.11 (PEHSTR_EXT)
 - C:\Del.bat (PEHSTR_EXT)
 - \KLSNIF.key (PEHSTR_EXT)
 - cloudservicesdevc.tk/picturess/2023 (PEHSTR_EXT)
 - \shellcode\Release\shellcode.pdb (PEHSTR_EXT)
 - CfLHQFYYypycvyszNnPjLmbVYDQMhuenBjKXJSmb (PEHSTR_EXT)
 - LCfxLWkJSsZAglRHckBdnibACKggCDMAqne (PEHSTR_EXT)
 - cmd.exe /c ping 127.0.0.1 -n 2 (PEHSTR_EXT)
 - c:\Microsoft.cjk (PEHSTR_EXT)
 - taskkill /IM 360tray.exe /F (PEHSTR_EXT)
 - .g~b< (SNID)
 - j\%fr (SNID)
 - rossecorPlartneC\metsyS\NOITPIRCSED\ERAWDRAH (PEHSTR_EXT)
 - index[3].txt (PEHSTR_EXT)
 - zhu.exe (PEHSTR_EXT)
 - C:\ProgramData\ProgramData.txt (PEHSTR_EXT)
 - C:\Program Files\Common Files\scvhost.exe (PEHSTR_EXT)
 - 6)\Mf (PEHSTR_EXT)
 - www.97dmu.net (PEHSTR_EXT)
 - 97mu.f3322.org (PEHSTR_EXT)
 - Okbyqce.exe (PEHSTR_EXT)
 - taskkill /f /im rundll32.exe (PEHSTR_EXT)
 - K7TSecurity.exe (PEHSTR_EXT)
 - CMCTrayIcon.exe (PEHSTR_EXT)
 - F-PROT.EXE (PEHSTR_EXT)
 - CorantiControlCenter32.exe (PEHSTR_EXT)
 - //gitee.com (PEHSTR_EXT)
 - //ProgramData//Sen.png (PEHSTR_EXT)
 - %s\%d.bak (PEHSTR_EXT)
 - chrome.exe (PEHSTR_EXT)
 - firefox.exe (PEHSTR_EXT)
 - QQBrowser.exe (PEHSTR_EXT)
 - software\mICROSOFT\wINDOWS nt\cURRENTvERSION\sVCHOST (PEHSTR_EXT)
 - SystemRoot%\System32\svchost.exe -k sougou (PEHSTR_EXT)
 - jinjin.com (PEHSTR_EXT)
 - \ProgramData\update.exe (PEHSTR_EXT)
 - \ProgramData\jfds.txt (PEHSTR_EXT)
 - Windows\Temp\upgrader.back (PEHSTR_EXT)
 - wscript.exe //E:vbscript (PEHSTR_EXT)
 - baiduSafeTray.exe (PEHSTR_EXT)
 - C:\Users\Public\Documents\logo.cco (PEHSTR_EXT)
 - Parallels Software International Inc. (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\BIOS (PEHSTR_EXT)
 - C:\Users\inx.cod (PEHSTR_EXT)
 - \VC\include\streambuf (PEHSTR_EXT)
 - C:\Users\Public\Documents\QeiySBcapV.dat (PEHSTR_EXT)
 - C:\Users\Public\Documents\WindowsData\kail.exe (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Backdoor_Win64_Farfli_BX_2147816722_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Win64/Farfli.BX!MTB"
        threat_id = "2147816722"
        type = "Backdoor"
        platform = "Win64: Windows 64-bit platform"
        family = "Farfli"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "7"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "7zz.exe" ascii //weight: 1
        $x_1_2 = "\\ProgramData\\360.dll" ascii //weight: 1
        $x_1_3 = "ProgramData\\rundll3222.exe" ascii //weight: 1
        $x_1_4 = "\\ProgramData\\svchost.txt" ascii //weight: 1
        $x_1_5 = "VirtualAlloc" ascii //weight: 1
        $x_1_6 = "URLDownloadToFile" ascii //weight: 1
        $x_1_7 = "ShellExecute" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Remediation Steps:
Immediately isolate the infected machine from the network. Due to kernel-level compromise and advanced persistence, a full system re-imaging or reinstallation is strongly recommended. Prior to re-imaging, perform a full system scan with updated antivirus software, and consider blocking associated command-and-control domains (e.g., `.farfly.org`) at the network perimeter.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 04/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$