General

  • Target

    2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190

  • Size

    351KB

  • Sample

    220204-mmgakshcfr

  • MD5

    ed8a45d45c7dceb822c739ff878525e5

  • SHA1

    8c62c96c46133ac71995b294cf2209d1b8a3e5a5

  • SHA256

    2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190

  • SHA512

    8cacd4759ed75a0bf04b2d5513700ea48827b9fae2028ac453603036e96928e581dcc13294fb32aee97583e77e5eed53bf4c6621d6ebde97f33d5eeb050fa1d7

Malware Config

Targets

    • Target

      edadf30df18e6a7ea190041cf3bd4a0b

    • Size

      366KB

    • MD5

      edadf30df18e6a7ea190041cf3bd4a0b

    • SHA1

      b33c269642bf42b8c71988b9ddbe298e00b65ef1

    • SHA256

      3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655

    • SHA512

      0a22b64f763aa5bf471e2b889899665fa060ae4bd2288c2dd07731aa7411c7d6c2be0c0e3d619adcf064a1815f4a9f641815076970bb690d1ef9390811a1a810

    • GoldenSpy

      Backdoor spotted in June 2020 being distributed with the Chinese "Intelligent Tax" software.

    • GoldenSpy Payload

    • suricata: ET MALWARE GoldenSpy Domain Observed

      suricata: ET MALWARE GoldenSpy Domain Observed

    • Executes dropped EXE

    • Sets service image path in registry

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks