Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This threat can modify the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (for example, antimalware software).
Modifies system security settings
The malware can disable Firewall notifications from the Windows Security Center by making the following registry modification:
Adds value: "FirewallDisableNotify" With data: "1" To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Contacts remote hosts
We have seen this threat contact the following remote hosts using port 80:
aminastol.com
dominoclub-grup.com
elementarimagine.com
fairstood.net
groupguess.net
jarybuter.com
mojoguia.com
mojositio.com
spokefirst.net
spokeguess.net
spokekill.net
spokestood.net
villemojo.com
visitfirst.net
visitguess.net
visitkill.net
visitstood.net
watchstood.net
Commonly, malware may contact a remote host for the following purposes:
To confirm Internet connectivity
To report a new infection to its author
To receive configuration or other data
To download and execute arbitrary files (including updates or additional malware)
To receive instruction from a remote attacker
To upload data taken from the affected PC
This malware description was produced and published using our automated analysis system's examination of file SHA1 a0e0a4dfc402ebe095a04eded8ee9d16935d5afd.