General

  • Target

    40fc4d9b7d4cd8414ee27863f630cf3155bcf4ae34b2e35071456f8ac7a944fd

  • Size

    368KB

  • Sample

    220204-mk8xtahcej

  • MD5

    08a336361d0551bf2ff72ae0eb06f23c

  • SHA1

    f914d02fb056fd59f8dd88ea87b0d30dd97786e3

  • SHA256

    40fc4d9b7d4cd8414ee27863f630cf3155bcf4ae34b2e35071456f8ac7a944fd

  • SHA512

    a9be11cad129d138da08621b525afa42eda1d5c14b103e09a7562b0524e186a80bd8286585a0fa59fc64eeddb484b945bdc78abd10a2539b6e395de23050dff8

Malware Config

Targets

    • Target

      40fc4d9b7d4cd8414ee27863f630cf3155bcf4ae34b2e35071456f8ac7a944fd

    • Size

      368KB

    • MD5

      08a336361d0551bf2ff72ae0eb06f23c

    • SHA1

      f914d02fb056fd59f8dd88ea87b0d30dd97786e3

    • SHA256

      40fc4d9b7d4cd8414ee27863f630cf3155bcf4ae34b2e35071456f8ac7a944fd

    • SHA512

      a9be11cad129d138da08621b525afa42eda1d5c14b103e09a7562b0524e186a80bd8286585a0fa59fc64eeddb484b945bdc78abd10a2539b6e395de23050dff8

    • GoldenSpy

      Backdoor spotted in June 2020 being distributed with the Chinese "Intelligent Tax" software.

    • GoldenSpy Payload

    • suricata: ET MALWARE GoldenSpy Domain Observed

      suricata: ET MALWARE GoldenSpy Domain Observed

    • Executes dropped EXE

    • Sets service image path in registry

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks