Resubmissions

03-08-2024 22:09

240803-125hls1glb 8

03-08-2024 19:59

240803-yqvg6aybrc 8

Analysis

  • max time kernel
    297s
  • max time network
    298s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-08-2024 22:09

General

  • Target

    goodbyedpi-0.2.3rc1/x86_64/goodbyedpi.exe

  • Size

    95KB

  • MD5

    fd680538c2a80dc54c63ae39c3563fbd

  • SHA1

    34fc71b71ab4361a68bf8355e9b2f54dd8cf910f

  • SHA256

    fa9a32ae6eb24e2290941ea60f80e914168e1f84e900293bffd4393fb9a8fae2

  • SHA512

    8bae7d75dcaf708433504e8b725da41f051fdaffccfc2e27e2450f89866b8d113a2782a11c54e1dbf03e5db22b883eaf7bea8cfd2472e67c7eebabc9de2ef838

  • SSDEEP

    1536:uS4122+admkx3xg+s8ZtkhMvIpylYTvf6EEXUaSsGe0yNgnIcm:/4122+admkx6cZi0IvUasKUgID

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: LoadsDriver 9 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
    "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
    1⤵
      PID:2092
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localservice -s fdPHost
      1⤵
        PID:3632
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4148
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
            goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
            2⤵
              PID:4120
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd" "
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4732
            • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
              goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
              2⤵
                PID:2716
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:4260
              • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
                goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
                2⤵
                  PID:4364
              • C:\Windows\System32\NOTEPAD.EXE
                "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd
                1⤵
                  PID:3184
                • C:\Windows\System32\NOTEPAD.EXE
                  "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd
                  1⤵
                    PID:3720
                  • C:\Windows\System32\NOTEPAD.EXE
                    "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd
                    1⤵
                      PID:4040
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd" "
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4948
                      • C:\Windows\system32\sc.exe
                        sc stop "GoodbyeDPI"
                        2⤵
                        • Launches sc.exe
                        PID:4952
                      • C:\Windows\system32\sc.exe
                        sc delete "GoodbyeDPI"
                        2⤵
                        • Launches sc.exe
                        PID:2636
                      • C:\Windows\system32\sc.exe
                        sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
                        2⤵
                        • Launches sc.exe
                        PID:4680
                      • C:\Windows\system32\sc.exe
                        sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
                        2⤵
                        • Launches sc.exe
                        PID:3860
                      • C:\Windows\system32\sc.exe
                        sc start "GoodbyeDPI"
                        2⤵
                        • Launches sc.exe
                        PID:3280
                    • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
                      "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"
                      1⤵
                        PID:3556
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd" "
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2776
                        • C:\Windows\system32\sc.exe
                          sc stop "GoodbyeDPI"
                          2⤵
                          • Launches sc.exe
                          PID:3388
                        • C:\Windows\system32\sc.exe
                          sc delete "GoodbyeDPI"
                          2⤵
                          • Launches sc.exe
                          PID:1324
                        • C:\Windows\system32\sc.exe
                          sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
                          2⤵
                          • Launches sc.exe
                          PID:864
                        • C:\Windows\system32\sc.exe
                          sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
                          2⤵
                          • Launches sc.exe
                          PID:3856
                        • C:\Windows\system32\sc.exe
                          sc start "GoodbyeDPI"
                          2⤵
                          • Launches sc.exe
                          PID:1244
                      • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
                        "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"
                        1⤵
                          PID:4320
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd" "
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1020
                          • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
                            goodbyedpi.exe -9
                            2⤵
                              PID:5104
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd" "
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3628
                            • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
                              goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
                              2⤵
                                PID:2568
                            • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
                              "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
                              1⤵
                                PID:2820

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/2092-0-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/2092-2-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/2092-1-0x0000000062800000-0x0000000062813000-memory.dmp

                                Filesize

                                76KB

                              • memory/2568-20-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/2716-8-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/2716-10-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/2820-26-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/2820-24-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/3556-14-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/4120-4-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/4120-6-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/4320-18-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/4320-22-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/4364-12-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB

                              • memory/5104-16-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

                                Filesize

                                128KB