Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/12/2024, 01:46 UTC

General

  • Target

    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe

  • Size

    2.4MB

  • MD5

    a15ebcf1c57e75403d6e0ee46a8f3a50

  • SHA1

    560b4054d7a4d26e680d746b85bb09e22abe0032

  • SHA256

    93645faac95453de4596a1a6c1e79b3f703d73bfceb84cad8ec3dd5b857e86f7

  • SHA512

    5b43fbf0929c396fec67891551ade1b2ab0427531cc0de87fb3f929ea54672e9b64a0a0e7a43ff6000f3245ff568f4c9be2086a50862671d422128de91751655

  • SSDEEP

    49152:2Wud7AkqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFW31q4:Id7AfrlyutLxC3sEwwM3U4

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery 1 TTPs 9 IoCs

    Attempt to gather information on host's network.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 46 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\SysWOW64\arp.exe
      arp -a
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:1492
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.0.1 c9-06-87-01-7f-75
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2080
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.255.255 84-17-2a-9d-ac-6c
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:320
    • C:\Windows\SysWOW64\arp.exe
      arp -s 37.27.61.181 00-ae-b4-3b-bf-cb
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:3480
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.22 65-e7-46-c1-18-fd
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2548
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.251 71-0d-0c-99-8b-f8
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:5112
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.252 fc-38-86-14-61-bc
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2536
    • C:\Windows\SysWOW64\arp.exe
      arp -s 239.255.255.250 63-5c-5f-a7-c7-56
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:4220
    • C:\Windows\SysWOW64\arp.exe
      arp -s 255.255.255.255 ac-b9-c1-4a-da-09
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:3988
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      "C:\Users\Admin\AppData\Local\Temp\minidownload.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:532
    • C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
      "C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DG30HdQ8G4ngDpbEHfW1gEXYhwD6lzpDc8HlTAHx7scbrxDthotkHK0HexvlOWvJbJd76eqnPU0MQPeaLH3gS2w..%26pcid%3D-2241203717467645359%26fr%3Dxiazai%26source%3Dxixi%26filename%3Dpdfwjt.zip&iconurl=https%3A%2F%2Fpic.cr173.com%2Fup%2F2014-4%2F201449152326.jpg&softname=PDF%E8%BD%AC%E6%8D%A2%E9%80%9A&softsize=19.05MB
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      PID:2848
    • C:\Windows\SysWOW64\arp.exe
      arp -d
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2444

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yz.app.sogou.com
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    yz.app.sogou.com
    IN A
    Response
    yz.app.sogou.com
    IN A
    43.153.236.147
    yz.app.sogou.com
    IN A
    43.153.249.87
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-sg
    GET
    http://yz.app.sogou.com/appinfo?num=104320
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    43.153.236.147:80
    Request
    GET /appinfo?num=104320 HTTP/1.1
    User-Agent: HttpDownload
    Host: yz.app.sogou.com
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Tue, 10 Dec 2024 01:46:26 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://yz.app.sogou.com/appinfo?num=104320
  • flag-sg
    GET
    https://yz.app.sogou.com/appinfo?num=104320
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    43.153.236.147:443
    Request
    GET /appinfo?num=104320 HTTP/1.1
    User-Agent: HttpDownload
    Host: yz.app.sogou.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 10 Dec 2024 01:46:28 GMT
    Content-Type: text/plain; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: SUID=53B0D7B58351A20B0000000067579D73; expires=Mon, 05-Dec-2044 01:46:27 GMT; domain=.sogou.com; path=/
    P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ocsp.digicert.cn
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.cn
    IN A
    Response
    ocsp.digicert.cn
    IN CNAME
    ocsp.digicert.cn.w.cdngslb.com
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.211
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.166
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.222
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.213
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.224
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.223
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.225
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.219
  • flag-gb
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    79.133.176.211:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Cache-Control: max-age=7200
    Date: Tue, 10 Dec 2024 01:18:04 GMT
    Via: ens-cache1.l2de3[0,0,200-0,H], ens-cache16.l2de3[1,0], ens-cache5.gb6[0,0,200-0,H], ens-cache4.gb6[1,0]
    Age: 1703
    Ali-Swift-Global-Savetime: 1733793484
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Tue, 10 Dec 2024 01:18:35 GMT
    X-Swift-CacheTime: 3569
    Timing-Allow-Origin: *
    EagleId: 4f85b09817337951873817055e
  • flag-gb
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    79.133.176.211:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Cache-Control: max-age=7200
    Date: Tue, 10 Dec 2024 01:28:09 GMT
    Via: ens-cache14.l2de3[0,0,200-0,H], ens-cache3.l2de3[0,0], ens-cache9.gb6[0,0,200-0,H], ens-cache4.gb6[1,0]
    Age: 1098
    Ali-Swift-Global-Savetime: 1733794089
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Tue, 10 Dec 2024 01:28:12 GMT
    X-Swift-CacheTime: 3597
    Timing-Allow-Origin: *
    EagleId: 4f85b09817337951874637212e
  • flag-us
    DNS
    147.236.153.43.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.236.153.43.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    211.176.133.79.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.176.133.79.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ping.t.sogou.com
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    ping.t.sogou.com
    IN A
    Response
  • flag-us
    DNS
    pic.cr173.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    pic.cr173.com
    IN A
    Response
    pic.cr173.com
    IN CNAME
    pic.cr173.com.w.kunlunar.com
    pic.cr173.com.w.kunlunar.com
    IN A
    163.181.154.186
  • flag-gb
    HEAD
    https://pic.cr173.com/up/2014-4/201449152326.jpg
    SogouSoftware.exe
    Remote address:
    163.181.154.186:443
    Request
    HEAD /up/2014-4/201449152326.jpg HTTP/1.1
    Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; {D9D54F49-E51C-445e-92F2-1EE3C2313240})
    Host: pic.cr173.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: Tengine
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Date: Mon, 09 Dec 2024 01:45:03 GMT
    Location: https://p.e5n.com/up/2014-4/201449152326.jpg
    Via: ens-cache3.l2de3[365,365,301-0,M], ens-cache10.l2de3[366,0], ens-cache11.gb4[0,0,301-0,H], ens-cache6.gb4[1,0]
    Age: 86486
    Ali-Swift-Global-Savetime: 1733708703
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Mon, 09 Dec 2024 01:45:03 GMT
    X-Swift-CacheTime: 93312000
    Timing-Allow-Origin: *
    EagleId: a3b59a9a17337951894013815e
  • flag-gb
    GET
    https://pic.cr173.com/up/2014-4/201449152326.jpg
    SogouSoftware.exe
    Remote address:
    163.181.154.186:443
    Request
    GET /up/2014-4/201449152326.jpg HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: pic.cr173.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Server: Tengine
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Date: Mon, 09 Dec 2024 01:45:03 GMT
    Location: https://p.e5n.com/up/2014-4/201449152326.jpg
    Via: ens-cache3.l2de3[365,365,301-0,M], ens-cache10.l2de3[366,0], ens-cache11.gb4[0,0,301-0,H], ens-cache6.gb4[1,0]
    Age: 86491
    Ali-Swift-Global-Savetime: 1733708703
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Mon, 09 Dec 2024 01:45:03 GMT
    X-Swift-CacheTime: 93312000
    Timing-Allow-Origin: *
    EagleId: a3b59a9a17337951941018532e
  • flag-us
    DNS
    186.154.181.163.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    186.154.181.163.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.66.101.151.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.66.101.151.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.2.101.151.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.2.101.151.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    p.e5n.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    p.e5n.com
    IN A
    Response
    p.e5n.com
    IN CNAME
    p.e5n.com.w.kunlunaq.com
    p.e5n.com.w.kunlunaq.com
    IN A
    180.163.146.85
  • flag-us
    DNS
    www.baidu.com
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    www.baidu.com
    IN A
    Response
    www.baidu.com
    IN CNAME
    www.a.shifen.com
    www.a.shifen.com
    IN CNAME
    www.wshifen.com
    www.wshifen.com
    IN A
    103.235.46.96
    www.wshifen.com
    IN A
    103.235.47.188
  • flag-hk
    GET
    http://www.baidu.com/
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    103.235.46.96:80
    Request
    GET / HTTP/1.1
    Accept: */*
    Host: www.baidu.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 29432
    Content-Type: text/html
    Date: Tue, 10 Dec 2024 01:46:34 GMT
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    Pragma: no-cache
    Server: BWS/1.1
    Set-Cookie: BAIDUID=39F03702F1E1935D19F986427547DD88:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BIDUPSID=39F03702F1E1935D19F986427547DD88; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: PSTM=1733795194; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BAIDUID=39F03702F1E1935DFDFD1F908F8B1B8B:FG=1; max-age=31536000; expires=Wed, 10-Dec-25 01:46:34 GMT; domain=.baidu.com; path=/; version=1; comment=bd
    Traceid: 1733795194048131073011858719227000721830
    Vary: Accept-Encoding
    X-Ua-Compatible: IE=Edge,chrome=1
    X-Xss-Protection: 1;mode=block
  • flag-us
    DNS
    96.46.235.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.46.235.103.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5isohu.com
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    www.aieov.com
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    www.aieov.com
    IN A
    Response
    www.aieov.com
    IN A
    45.56.79.23
    www.aieov.com
    IN A
    173.255.194.134
    www.aieov.com
    IN A
    198.58.118.167
    www.aieov.com
    IN A
    45.33.18.44
    www.aieov.com
    IN A
    72.14.185.43
    www.aieov.com
    IN A
    45.33.2.79
    www.aieov.com
    IN A
    96.126.123.244
    www.aieov.com
    IN A
    72.14.178.174
    www.aieov.com
    IN A
    45.79.19.196
    www.aieov.com
    IN A
    45.33.30.197
    www.aieov.com
    IN A
    45.33.23.183
    www.aieov.com
    IN A
    45.33.20.235
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    45.56.79.23:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Tue, 10 Dec 2024 01:46:35 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    GET
    http://www.aieov.com/so.gif
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    Remote address:
    45.56.79.23:80
    Request
    GET /so.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Tue, 10 Dec 2024 01:46:35 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    DNS
    23.79.56.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.79.56.45.in-addr.arpa
    IN PTR
    Response
    23.79.56.45.in-addr.arpa
    IN PTR
    li929-23memberslinodecom
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    xz.sogou.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    xz.sogou.com
    IN A
    Response
    xz.sogou.com
    IN A
    43.153.236.147
    xz.sogou.com
    IN A
    43.153.249.87
  • flag-sg
    GET
    http://xz.sogou.com/handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    SogouSoftware.exe
    Remote address:
    43.153.236.147:80
    Request
    GET /handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend HTTP/1.1
    User-Agent: HttpRequest
    Host: xz.sogou.com
    Cookie: SUID=53B0D7B58351A20B0000000067579D73
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Tue, 10 Dec 2024 01:46:55 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://xz.sogou.com/handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-sg
    GET
    https://xz.sogou.com/handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    SogouSoftware.exe
    Remote address:
    43.153.236.147:443
    Request
    GET /handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend HTTP/1.1
    User-Agent: HttpRequest
    Host: xz.sogou.com
    Connection: Keep-Alive
    Cookie: SUID=53B0D7B58351A20B0000000067579D73
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 10 Dec 2024 01:46:57 GMT
    Content-Type: text/plain; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: usid=53B0D7B58F51A20B0000000067579D91; expires=Wed, 10-Dec-25 01:46:57 GMT; domain=.sogou.com; path=/
    P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • flag-gb
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D
    SogouSoftware.exe
    Remote address:
    79.133.176.211:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Cache-Control: max-age=7200
    Date: Tue, 10 Dec 2024 01:46:56 GMT
    Via: ens-cache17.l2de3[3,3,200-0,M], ens-cache5.l2de3[4,0], ens-cache9.gb6[20,20,200-0,M], ens-cache7.gb6[24,0]
    Ali-Swift-Global-Savetime: 1733795216
    X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
    X-Swift-SaveTime: Tue, 10 Dec 2024 01:46:56 GMT
    X-Swift-CacheTime: 3600
    Timing-Allow-Origin: *
    EagleId: 4f85b09b17337952167593480e
  • flag-us
    DNS
    yze.t.sogou.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    yze.t.sogou.com
    IN A
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 43.153.236.147:80
    http://yz.app.sogou.com/appinfo?num=104320
    http
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    316 B
    505 B
    5
    3

    HTTP Request

    GET http://yz.app.sogou.com/appinfo?num=104320

    HTTP Response

    301
  • 43.153.236.147:443
    https://yz.app.sogou.com/appinfo?num=104320
    tls, http
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    909 B
    4.9kB
    11
    9

    HTTP Request

    GET https://yz.app.sogou.com/appinfo?num=104320

    HTTP Response

    200
  • 79.133.176.211:80
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D
    http
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    736 B
    2.2kB
    6
    5

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D

    HTTP Response

    200
  • 163.181.154.186:443
    https://pic.cr173.com/up/2014-4/201449152326.jpg
    tls, http
    SogouSoftware.exe
    1.8kB
    6.9kB
    15
    11

    HTTP Request

    HEAD https://pic.cr173.com/up/2014-4/201449152326.jpg

    HTTP Response

    301

    HTTP Request

    GET https://pic.cr173.com/up/2014-4/201449152326.jpg

    HTTP Response

    301
  • 180.163.146.85:443
    p.e5n.com
    SogouSoftware.exe
    156 B
    3
  • 103.235.46.96:80
    http://www.baidu.com/
    http
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    2.9kB
    63.3kB
    59
    57

    HTTP Request

    GET http://www.baidu.com/

    HTTP Response

    200
  • 180.163.146.85:443
    p.e5n.com
    SogouSoftware.exe
    260 B
    5
  • 45.56.79.23:80
    http://www.aieov.com/logo.gif
    http
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 45.56.79.23:80
    http://www.aieov.com/so.gif
    http
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    334 B
    529 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/so.gif

    HTTP Response

    403
  • 43.153.236.147:80
    http://xz.sogou.com/handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    http
    SogouSoftware.exe
    512 B
    689 B
    6
    5

    HTTP Request

    GET http://xz.sogou.com/handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend

    HTTP Response

    301
  • 43.153.236.147:443
    https://xz.sogou.com/handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    tls, http
    SogouSoftware.exe
    1.3kB
    6.9kB
    16
    13

    HTTP Request

    GET https://xz.sogou.com/handleUserIdDb256?userid=b58b62224ce2ba4f6925d97fb6b9143b&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend

    HTTP Response

    200
  • 79.133.176.211:80
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D
    http
    SogouSoftware.exe
    509 B
    1.2kB
    6
    5

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D

    HTTP Response

    200
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    yz.app.sogou.com
    dns
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    62 B
    94 B
    1
    1

    DNS Request

    yz.app.sogou.com

    DNS Response

    43.153.236.147
    43.153.249.87

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    ocsp.digicert.cn
    dns
    SogouSoftware.exe
    62 B
    234 B
    1
    1

    DNS Request

    ocsp.digicert.cn

    DNS Response

    79.133.176.211
    79.133.176.166
    79.133.176.222
    79.133.176.213
    79.133.176.224
    79.133.176.223
    79.133.176.225
    79.133.176.219

  • 8.8.8.8:53
    147.236.153.43.in-addr.arpa
    dns
    73 B
    130 B
    1
    1

    DNS Request

    147.236.153.43.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    211.176.133.79.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    211.176.133.79.in-addr.arpa

  • 8.8.8.8:53
    ping.t.sogou.com
    dns
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    62 B
    121 B
    1
    1

    DNS Request

    ping.t.sogou.com

  • 8.8.8.8:53
    pic.cr173.com
    dns
    SogouSoftware.exe
    59 B
    114 B
    1
    1

    DNS Request

    pic.cr173.com

    DNS Response

    163.181.154.186

  • 8.8.8.8:53
    186.154.181.163.in-addr.arpa
    dns
    74 B
    145 B
    1
    1

    DNS Request

    186.154.181.163.in-addr.arpa

  • 8.8.8.8:53
    133.66.101.151.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    133.66.101.151.in-addr.arpa

  • 8.8.8.8:53
    133.2.101.151.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    133.2.101.151.in-addr.arpa

  • 8.8.8.8:53
    p.e5n.com
    dns
    SogouSoftware.exe
    55 B
    106 B
    1
    1

    DNS Request

    p.e5n.com

    DNS Response

    180.163.146.85

  • 8.8.8.8:53
    www.baidu.com
    dns
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    59 B
    144 B
    1
    1

    DNS Request

    www.baidu.com

    DNS Response

    103.235.46.96
    103.235.47.188

  • 8.8.8.8:53
    96.46.235.103.in-addr.arpa
    dns
    72 B
    160 B
    1
    1

    DNS Request

    96.46.235.103.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    www.aieov.com
    dns
    2024-12-10_a15ebcf1c57e75403d6e0ee46a8f3a50_floxif_mafia.exe
    59 B
    251 B
    1
    1

    DNS Request

    www.aieov.com

    DNS Response

    45.56.79.23
    173.255.194.134
    198.58.118.167
    45.33.18.44
    72.14.185.43
    45.33.2.79
    96.126.123.244
    72.14.178.174
    45.79.19.196
    45.33.30.197
    45.33.23.183
    45.33.20.235

  • 8.8.8.8:53
    23.79.56.45.in-addr.arpa
    dns
    70 B
    111 B
    1
    1

    DNS Request

    23.79.56.45.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    xz.sogou.com
    dns
    SogouSoftware.exe
    58 B
    90 B
    1
    1

    DNS Request

    xz.sogou.com

    DNS Response

    43.153.236.147
    43.153.249.87

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    yze.t.sogou.com
    dns
    SogouSoftware.exe
    61 B
    120 B
    1
    1

    DNS Request

    yze.t.sogou.com

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

    Filesize

    232KB

    MD5

    0bc2d003fcfe3fa65f4c3ba7a015fa41

    SHA1

    72ed85bc1c57259b4f2ed36d16ce3fed4e30607c

    SHA256

    388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b

    SHA512

    ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24

  • C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll

    Filesize

    450KB

    MD5

    b1ce2dba9515e144908aa34ac77f5a46

    SHA1

    0a3e601eeba273a16d815c5e59793eb73db9daad

    SHA256

    5a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f

    SHA512

    d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a

  • C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll.tmp

    Filesize

    531KB

    MD5

    b487dcedac2a5f4150a56ac2ebcf3420

    SHA1

    8ffb5e90aecdf9805d8737cdf77ec5bdc3399cbc

    SHA256

    07cb38b197715b2680033855bb92e7dfb00b4ade935527df895c76d70a9f7056

    SHA512

    f3c8cc6b5ad4339e63dd6dfc4b156d1965c2e1852510e2a1072872b878d299490fa2a912860174a688125ef65a6a2dcb5befc69f891e7aa3f90c377ecd483d14

  • C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base

    Filesize

    53B

    MD5

    113136892f2137aa0116093a524ade0b

    SHA1

    a0284943f8ddfe69ceec90833e66d96bdf4a97f0

    SHA256

    ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02

    SHA512

    d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99

  • C:\Program Files\Common Files\System\symsrv.dll

    Filesize

    71KB

    MD5

    4fcd7574537cebec8e75b4e646996643

    SHA1

    efa59bb9050fb656b90d5d40c942fb2a304f2a8b

    SHA256

    8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

    SHA512

    7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

    Filesize

    471B

    MD5

    cdafe188a8d6d5bd5f5e8d7edacce249

    SHA1

    d7349b2856ff0debe5c6ebaa5c70ec6cde1f0be0

    SHA256

    5a6c5428b2b871a913d08733a8c376106f12b2fce1dfe732b6fcdc43cd512ef2

    SHA512

    b7c4814f26ff3d82c4fcde190d4bc086c604571957d2a4dc92a228e3b8ce842b0a8c8690be79763063aebb3ee8d6bb660fd6724ba61dd5397cfc6b78366da1c4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

    Filesize

    398B

    MD5

    5779b4a72d29fb2130fb62e4985504eb

    SHA1

    9babcec08d6515ab58cd67f573c6ec4e87db91d4

    SHA256

    6975b169e5a1fae9c922c64d4db7970cb8c9eb8d86b97663592ed9dee5504095

    SHA512

    90089e66add682b090d671b610f47d0c0d713278d340a753743aec516d97f48dd77937318610212de7dd980681d593843b4bc6853becfc980dfc9ce74a5bf2b1

  • C:\Users\Admin\AppData\Local\Temp\minidownload.exe

    Filesize

    1.9MB

    MD5

    0618e9851ea4a522abeded8d40c2f19e

    SHA1

    c6772967fdf545e32d28f3b46e97aec5b9ff99f5

    SHA256

    506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4

    SHA512

    b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f

  • memory/2344-90-0x0000000000850000-0x0000000000A9A000-memory.dmp

    Filesize

    2.3MB

  • memory/2344-87-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/2344-86-0x0000000000850000-0x0000000000A9A000-memory.dmp

    Filesize

    2.3MB

  • memory/2344-92-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/2344-84-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/2344-7-0x0000000000851000-0x0000000000852000-memory.dmp

    Filesize

    4KB

  • memory/2344-4-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/2848-93-0x0000000072B80000-0x0000000072BF8000-memory.dmp

    Filesize

    480KB

  • memory/2848-100-0x0000000072B80000-0x0000000072BF8000-memory.dmp

    Filesize

    480KB

  • memory/2848-102-0x0000000072B80000-0x0000000072BF8000-memory.dmp

    Filesize

    480KB

  • memory/2848-110-0x0000000072B80000-0x0000000072BF8000-memory.dmp

    Filesize

    480KB

  • memory/2848-111-0x0000000072B80000-0x0000000072BF8000-memory.dmp

    Filesize

    480KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.