Analysis

  • max time kernel
    94s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 06:14

General

  • Target

    goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_install_russia_blacklist_dnsredir.cmd

  • Size

    747B

  • MD5

    77b1d63472e67c4368961c463cc1d92c

  • SHA1

    7653fa303944e6f2436ef72ad8a6d11eb6f8b95e

  • SHA256

    450f2b003fb579f897eded1131c9e893afde7b2ebf07b86110449e57ed9a0da8

  • SHA512

    67763f15836d456bd8713533599f2bc6d97d16887fc4078f5c5c36ec0b42beffc267e5eb9396f16aa350ce39a61c57ecc1c82e32068495a74489af68dacc3a31

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\system32\sc.exe
      sc stop "GoodbyeDPI"
      2⤵
      • Launches sc.exe
      PID:2556
    • C:\Windows\system32\sc.exe
      sc delete "GoodbyeDPI"
      2⤵
      • Launches sc.exe
      PID:1656
    • C:\Windows\system32\sc.exe
      sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2756
    • C:\Windows\system32\sc.exe
      sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
      2⤵
      • Launches sc.exe
      PID:4548
    • C:\Windows\system32\sc.exe
      sc start "GoodbyeDPI"
      2⤵
      • Launches sc.exe
      PID:4344
  • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
    "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt"
    1⤵
      PID:3508

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3508-0-0x00007FF68CB40000-0x00007FF68CB60000-memory.dmp

      Filesize

      128KB

    • memory/3508-1-0x0000000062800000-0x0000000062813000-memory.dmp

      Filesize

      76KB

    • memory/3508-2-0x00007FF68CB40000-0x00007FF68CB60000-memory.dmp

      Filesize

      128KB