chinese_generic_botnet | 9aa1748979696921b27868393bbb69add33c1dbc89624ea3085119aaf76cc2e7

General

Target

tmp/xp.exe
Size

1.3MB
MD5

80526cfb4316313ed339ca64368f5fae
SHA1

96507bec2754a51dca329bb73e2b2c56ce73e269
SHA256

9aa1748979696921b27868393bbb69add33c1dbc89624ea3085119aaf76cc2e7
SHA512

38155a4b8713e78c737108a1c6ff119b06832121d789bec0ced3f7fa140c07d6478c320a4f5fa97834a1ec67b7bb1d7ec8c890fd0934b7bc5c5fbc3f27e037d3

Score

10^/10

chinese_generic_botnet botnet evasion persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet Payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/3840-116-0x0000000000400000-0x00000000007BD000-memory.dmp	unk_chinese_botnet

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Wine	xp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jthrllf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp\\xp.exe"	xp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3840	xp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3840	xp.exe
3840	xp.exe
3840	xp.exe
3840	xp.exe

C:\Users\Admin\AppData\Local\Temp\tmp\xp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\xp.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3840-115-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/3840-116-0x0000000000400000-0x00000000007BD000-memory.dmp

Filesize
3.7MB

Download
memory/3840-117-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3840-118-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3840-119-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3840-120-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/3840-121-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/3840-123-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/3840-122-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3840-124-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/3840-125-0x0000000004A70000-0x0000000004A72000-memory.dmp

Filesize
8KB

Download
memory/3840-126-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3840-127-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3840-129-0x0000000004A30000-0x0000000004A32000-memory.dmp

Filesize
8KB

Download
memory/3840-128-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3840-130-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3840-131-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/3840-132-0x0000000010001000-0x000000001000C000-memory.dmp

Filesize
44KB

Download
memory/3840-133-0x000000001000C000-0x0000000010012000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads