Malware Analysis Report

2024-10-16 05:04

Sample ID 240803-125hls1glb
Target goodbyedpi-0.2.3rc1-2.zip
SHA256 e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
Tags
evasion execution persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443

Threat Level: Likely malicious

The file goodbyedpi-0.2.3rc1-2.zip was found to be: Likely malicious.

Malicious Activity Summary

evasion execution persistence

Creates new service(s)

Stops running service(s)

Launches sc.exe

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 22:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 22:09

Reported

2024-08-03 22:15

Platform

win10-20240404-en

Max time kernel

297s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

Signatures

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1796 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4732 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4732 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4260 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4260 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4948 wrote to memory of 4952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 4952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4948 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2776 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1020 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1020 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3628 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3628 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s fdPHost

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd" "

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd" "

C:\Windows\system32\sc.exe

sc stop "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc delete "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"

C:\Windows\system32\sc.exe

sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"

C:\Windows\system32\sc.exe

sc start "GoodbyeDPI"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd" "

C:\Windows\system32\sc.exe

sc stop "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc delete "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"

C:\Windows\system32\sc.exe

sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"

C:\Windows\system32\sc.exe

sc start "GoodbyeDPI"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd" "

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd" "

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

Network

Country Destination Domain Proto
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2092-1-0x0000000062800000-0x0000000062813000-memory.dmp

memory/2092-0-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/2092-2-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/4120-4-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/4120-6-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/2716-8-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/2716-10-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/4364-12-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/3556-14-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/5104-16-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/4320-18-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/2568-20-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/4320-22-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/2820-24-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

memory/2820-26-0x00007FF7A5650000-0x00007FF7A5670000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 22:09

Reported

2024-08-03 22:15

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3252-0-0x00007FF737560000-0x00007FF737580000-memory.dmp

memory/3252-1-0x0000000062800000-0x0000000062813000-memory.dmp

memory/3252-2-0x00007FF737560000-0x00007FF737580000-memory.dmp