Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2024, 01:31 UTC

General

  • Target

    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe

  • Size

    2.4MB

  • MD5

    a88746b6639efba9230dc8f19c710797

  • SHA1

    f73cfff5c79f366842d1058e2a3b12f81be37fbe

  • SHA256

    c11380b0c7c2ac4ec52c56c68d2c8fca564505d9a22de89e9e9ce3bf739c3699

  • SHA512

    5c678e6f303f54cd3394563dab6f494196b114f2285370bda3ad2c449de6c740c47f5e0b0dd8015de03b867f560da04e141c2996fd7d8e97bc5f64f9e33873bc

  • SSDEEP

    49152:M3uE7AkqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFW31qk:FE7AfrlyutLxC3sEwwM3Uk

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery 1 TTPs 9 IoCs

    Attempt to gather information on host's network.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 46 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\arp.exe
      arp -a
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:696
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.0.1 35-0f-4d-d4-d2-63
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:3836
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.255.255 47-43-97-37-da-b2
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:4120
    • C:\Windows\SysWOW64\arp.exe
      arp -s 49.12.169.208 22-ca-cc-64-5d-d3
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:1848
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.22 22-c1-5d-65-82-53
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:3940
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.251 d8-0f-10-28-3d-03
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2620
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.252 79-6b-85-30-99-5e
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2348
    • C:\Windows\SysWOW64\arp.exe
      arp -s 239.255.255.250 eb-7e-a1-98-86-bf
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:1376
    • C:\Windows\SysWOW64\arp.exe
      arp -s 255.255.255.255 dd-0b-b2-87-37-c8
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:312
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      "C:\Users\Admin\AppData\Local\Temp\minidownload.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1036
    • C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
      "C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DG30HdQ8G4ngDpbEHfW1gEXYhwD6lzpDc8HlTAHx7scbrxDthotkHK0HexvlOWvJbJd76eqnPU0MQPeaLH3gS2w..%26pcid%3D-2241203717467645359%26fr%3Dxiazai%26source%3Dxixi%26filename%3Dpdfwjt.zip&iconurl=https%3A%2F%2Fpic.cr173.com%2Fup%2F2014-4%2F201449152326.jpg&softname=PDF%E8%BD%AC%E6%8D%A2%E9%80%9A&softsize=19.05MB
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      PID:2228
    • C:\Windows\SysWOW64\arp.exe
      arp -d
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2792

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yz.app.sogou.com
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    yz.app.sogou.com
    IN A
    Response
    yz.app.sogou.com
    IN A
    43.153.249.87
    yz.app.sogou.com
    IN A
    43.153.236.147
  • flag-sg
    GET
    http://yz.app.sogou.com/appinfo?num=104320
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    43.153.249.87:80
    Request
    GET /appinfo?num=104320 HTTP/1.1
    User-Agent: HttpDownload
    Host: yz.app.sogou.com
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Wed, 11 Dec 2024 01:31:15 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://yz.app.sogou.com/appinfo?num=104320
  • flag-sg
    GET
    https://yz.app.sogou.com/appinfo?num=104320
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    43.153.249.87:443
    Request
    GET /appinfo?num=104320 HTTP/1.1
    User-Agent: HttpDownload
    Host: yz.app.sogou.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 11 Dec 2024 01:31:17 GMT
    Content-Type: text/plain; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: SUID=53B0D7B51651A20B000000006758EB65; expires=Tue, 06-Dec-2044 01:31:17 GMT; domain=.sogou.com; path=/
    P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    87.249.153.43.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    87.249.153.43.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ocsp.digicert.cn
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.cn
    IN A
    Response
    ocsp.digicert.cn
    IN CNAME
    ocsp.digicert.cn.w.cdngslb.com
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.211
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.223
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.219
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.224
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.222
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.213
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.225
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    79.133.176.166
  • flag-gb
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    79.133.176.211:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Cache-Control: max-age=7200
    Date: Wed, 11 Dec 2024 01:18:24 GMT
    Via: ens-cache1.l2de3[0,0,200-0,H], ens-cache6.l2de3[1,0], ens-cache5.gb6[0,0,200-0,H], ens-cache5.gb6[3,0]
    Age: 772
    Ali-Swift-Global-Savetime: 1733879904
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Wed, 11 Dec 2024 01:18:38 GMT
    X-Swift-CacheTime: 3586
    Timing-Allow-Origin: *
    EagleId: 4f85b09917338806767258179e
  • flag-gb
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    79.133.176.211:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Cache-Control: max-age=7200
    Date: Wed, 11 Dec 2024 01:25:30 GMT
    Via: ens-cache14.l2de3[0,-1,200-0,H], ens-cache16.l2de3[17,0], ens-cache9.gb6[0,0,200-0,H], ens-cache5.gb6[1,0]
    Age: 346
    Ali-Swift-Global-Savetime: 1733880330
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Wed, 11 Dec 2024 01:25:34 GMT
    X-Swift-CacheTime: 3596
    Timing-Allow-Origin: *
    EagleId: 4f85b09917338806767838294e
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    211.176.133.79.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.176.133.79.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ping.t.sogou.com
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    ping.t.sogou.com
    IN A
    Response
  • flag-us
    DNS
    pic.cr173.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    pic.cr173.com
    IN A
    Response
    pic.cr173.com
    IN CNAME
    pic.cr173.com.w.kunlunar.com
    pic.cr173.com.w.kunlunar.com
    IN A
    163.181.154.186
  • flag-gb
    HEAD
    https://pic.cr173.com/up/2014-4/201449152326.jpg
    SogouSoftware.exe
    Remote address:
    163.181.154.186:443
    Request
    HEAD /up/2014-4/201449152326.jpg HTTP/1.1
    Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; {D9D54F49-E51C-445e-92F2-1EE3C2313240})
    Host: pic.cr173.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: Tengine
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Date: Mon, 09 Dec 2024 01:45:03 GMT
    Location: https://p.e5n.com/up/2014-4/201449152326.jpg
    Via: ens-cache3.l2de3[365,365,301-0,M], ens-cache10.l2de3[366,0], ens-cache11.gb4[0,0,301-0,H], ens-cache2.gb4[1,0]
    Age: 171976
    Ali-Swift-Global-Savetime: 1733708703
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Mon, 09 Dec 2024 01:45:03 GMT
    X-Swift-CacheTime: 93312000
    Timing-Allow-Origin: *
    EagleId: a3b59a9617338806791233765e
  • flag-gb
    GET
    https://pic.cr173.com/up/2014-4/201449152326.jpg
    SogouSoftware.exe
    Remote address:
    163.181.154.186:443
    Request
    GET /up/2014-4/201449152326.jpg HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: pic.cr173.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Server: Tengine
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Date: Mon, 09 Dec 2024 01:45:03 GMT
    Location: https://p.e5n.com/up/2014-4/201449152326.jpg
    Via: ens-cache3.l2de3[365,365,301-0,M], ens-cache10.l2de3[366,0], ens-cache11.gb4[0,0,301-0,H], ens-cache2.gb4[2,0]
    Age: 171980
    Ali-Swift-Global-Savetime: 1733708703
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Mon, 09 Dec 2024 01:45:03 GMT
    X-Swift-CacheTime: 93312000
    Timing-Allow-Origin: *
    EagleId: a3b59a9617338806832137844e
  • flag-us
    DNS
    p.e5n.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    p.e5n.com
    IN A
    Response
    p.e5n.com
    IN CNAME
    p.e5n.com.w.kunlunaq.com
    p.e5n.com.w.kunlunaq.com
    IN A
    180.163.146.85
  • flag-us
    DNS
    226.20.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.20.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    186.154.181.163.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    186.154.181.163.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.66.101.151.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.66.101.151.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.baidu.com
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    www.baidu.com
    IN A
    Response
    www.baidu.com
    IN CNAME
    www.a.shifen.com
    www.a.shifen.com
    IN CNAME
    www.wshifen.com
    www.wshifen.com
    IN A
    103.235.46.96
    www.wshifen.com
    IN A
    103.235.47.188
  • flag-hk
    GET
    http://www.baidu.com/
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    103.235.46.96:80
    Request
    GET / HTTP/1.1
    Accept: */*
    Host: www.baidu.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 29450
    Content-Type: text/html
    Date: Wed, 11 Dec 2024 01:31:24 GMT
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    Pragma: no-cache
    Server: BWS/1.1
    Set-Cookie: BAIDUID=62ECCE65EC330BEBA14988EA49D22174:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BIDUPSID=62ECCE65EC330BEBA14988EA49D22174; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: PSTM=1733880684; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BAIDUID=62ECCE65EC330BEB8EF3DF96AF84E0CF:FG=1; max-age=31536000; expires=Thu, 11-Dec-25 01:31:24 GMT; domain=.baidu.com; path=/; version=1; comment=bd
    Traceid: 1733880684397090612211826622678752605848
    Vary: Accept-Encoding
    X-Ua-Compatible: IE=Edge,chrome=1
    X-Xss-Protection: 1;mode=block
  • flag-us
    DNS
    96.46.235.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.46.235.103.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5isohu.com
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    www.aieov.com
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    www.aieov.com
    IN A
    Response
    www.aieov.com
    IN A
    72.14.185.43
    www.aieov.com
    IN A
    45.33.30.197
    www.aieov.com
    IN A
    45.56.79.23
    www.aieov.com
    IN A
    45.79.19.196
    www.aieov.com
    IN A
    198.58.118.167
    www.aieov.com
    IN A
    45.33.2.79
    www.aieov.com
    IN A
    45.33.23.183
    www.aieov.com
    IN A
    72.14.178.174
    www.aieov.com
    IN A
    45.33.20.235
    www.aieov.com
    IN A
    45.33.18.44
    www.aieov.com
    IN A
    173.255.194.134
    www.aieov.com
    IN A
    96.126.123.244
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    72.14.185.43:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Wed, 11 Dec 2024 01:31:24 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/so.gif
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    Remote address:
    72.14.185.43:80
    Request
    GET /so.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Wed, 11 Dec 2024 01:31:25 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    DNS
    43.185.14.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.185.14.72.in-addr.arpa
    IN PTR
    Response
    43.185.14.72.in-addr.arpa
    IN PTR
    li51-43memberslinodecom
  • flag-us
    DNS
    xz.sogou.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    xz.sogou.com
    IN A
    Response
    xz.sogou.com
    IN A
    43.153.236.147
    xz.sogou.com
    IN A
    43.153.249.87
  • flag-sg
    GET
    http://xz.sogou.com/handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    SogouSoftware.exe
    Remote address:
    43.153.236.147:80
    Request
    GET /handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend HTTP/1.1
    User-Agent: HttpRequest
    Host: xz.sogou.com
    Cookie: SUID=53B0D7B51651A20B000000006758EB65
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Wed, 11 Dec 2024 01:31:44 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://xz.sogou.com/handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.236.153.43.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.236.153.43.in-addr.arpa
    IN PTR
    Response
  • flag-sg
    GET
    https://xz.sogou.com/handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    SogouSoftware.exe
    Remote address:
    43.153.236.147:443
    Request
    GET /handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend HTTP/1.1
    User-Agent: HttpRequest
    Host: xz.sogou.com
    Connection: Keep-Alive
    Cookie: SUID=53B0D7B51651A20B000000006758EB65
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 11 Dec 2024 01:31:45 GMT
    Content-Type: text/plain; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: usid=53B0D7B5BB50A20B000000006758EB81; expires=Thu, 11-Dec-25 01:31:45 GMT; domain=.sogou.com; path=/
    P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • flag-gb
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D
    SogouSoftware.exe
    Remote address:
    79.133.176.211:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Cache-Control: max-age=7200
    Date: Wed, 11 Dec 2024 00:36:49 GMT
    Via: ens-cache17.l2de3[0,0,200-0,H], ens-cache4.l2de3[2,0], ens-cache9.gb6[0,0,200-0,H], ens-cache3.gb6[1,0]
    Age: 3296
    Ali-Swift-Global-Savetime: 1733877409
    X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
    X-Swift-SaveTime: Wed, 11 Dec 2024 01:31:44 GMT
    X-Swift-CacheTime: 305
    Timing-Allow-Origin: *
    EagleId: 4f85b09717338807054377448e
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yze.t.sogou.com
    SogouSoftware.exe
    Remote address:
    8.8.8.8:53
    Request
    yze.t.sogou.com
    IN A
    Response
  • 43.153.249.87:80
    http://yz.app.sogou.com/appinfo?num=104320
    http
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    316 B
    505 B
    5
    3

    HTTP Request

    GET http://yz.app.sogou.com/appinfo?num=104320

    HTTP Response

    301
  • 43.153.249.87:443
    https://yz.app.sogou.com/appinfo?num=104320
    tls, http
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    909 B
    4.9kB
    11
    9

    HTTP Request

    GET https://yz.app.sogou.com/appinfo?num=104320

    HTTP Response

    200
  • 79.133.176.211:80
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D
    http
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    736 B
    2.2kB
    6
    5

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdqmTHsUm8netqJGjlpjIY%3D

    HTTP Response

    200
  • 163.181.154.186:443
    https://pic.cr173.com/up/2014-4/201449152326.jpg
    tls, http
    SogouSoftware.exe
    1.8kB
    6.9kB
    15
    11

    HTTP Request

    HEAD https://pic.cr173.com/up/2014-4/201449152326.jpg

    HTTP Response

    301

    HTTP Request

    GET https://pic.cr173.com/up/2014-4/201449152326.jpg

    HTTP Response

    301
  • 180.163.146.85:443
    p.e5n.com
    SogouSoftware.exe
    156 B
    3
  • 180.163.146.85:443
    p.e5n.com
    SogouSoftware.exe
    260 B
    5
  • 103.235.46.96:80
    http://www.baidu.com/
    http
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    2.9kB
    63.7kB
    59
    57

    HTTP Request

    GET http://www.baidu.com/

    HTTP Response

    200
  • 72.14.185.43:80
    http://www.aieov.com/logo.gif
    http
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    336 B
    529 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 72.14.185.43:80
    http://www.aieov.com/so.gif
    http
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    334 B
    529 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/so.gif

    HTTP Response

    403
  • 43.153.236.147:80
    http://xz.sogou.com/handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    http
    SogouSoftware.exe
    512 B
    689 B
    6
    5

    HTTP Request

    GET http://xz.sogou.com/handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend

    HTTP Response

    301
  • 43.153.236.147:443
    https://xz.sogou.com/handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
    tls, http
    SogouSoftware.exe
    1.3kB
    6.9kB
    16
    13

    HTTP Request

    GET https://xz.sogou.com/handleUserIdDb256?userid=acf191d5b5b2e6f0236620936fbb48e5&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend

    HTTP Response

    200
  • 79.133.176.211:80
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D
    http
    SogouSoftware.exe
    509 B
    1.2kB
    6
    5

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAdgzhLsLrP1y60Vf14Z6Zw%3D

    HTTP Response

    200
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    yz.app.sogou.com
    dns
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    62 B
    94 B
    1
    1

    DNS Request

    yz.app.sogou.com

    DNS Response

    43.153.249.87
    43.153.236.147

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    87.249.153.43.in-addr.arpa
    dns
    72 B
    129 B
    1
    1

    DNS Request

    87.249.153.43.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    ocsp.digicert.cn
    dns
    SogouSoftware.exe
    62 B
    234 B
    1
    1

    DNS Request

    ocsp.digicert.cn

    DNS Response

    79.133.176.211
    79.133.176.223
    79.133.176.219
    79.133.176.224
    79.133.176.222
    79.133.176.213
    79.133.176.225
    79.133.176.166

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    211.176.133.79.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    211.176.133.79.in-addr.arpa

  • 8.8.8.8:53
    ping.t.sogou.com
    dns
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    62 B
    121 B
    1
    1

    DNS Request

    ping.t.sogou.com

  • 8.8.8.8:53
    pic.cr173.com
    dns
    SogouSoftware.exe
    59 B
    114 B
    1
    1

    DNS Request

    pic.cr173.com

    DNS Response

    163.181.154.186

  • 8.8.8.8:53
    p.e5n.com
    dns
    SogouSoftware.exe
    55 B
    106 B
    1
    1

    DNS Request

    p.e5n.com

    DNS Response

    180.163.146.85

  • 8.8.8.8:53
    226.20.18.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    226.20.18.104.in-addr.arpa

  • 8.8.8.8:53
    186.154.181.163.in-addr.arpa
    dns
    74 B
    145 B
    1
    1

    DNS Request

    186.154.181.163.in-addr.arpa

  • 8.8.8.8:53
    133.66.101.151.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    133.66.101.151.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    www.baidu.com
    dns
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    59 B
    144 B
    1
    1

    DNS Request

    www.baidu.com

    DNS Response

    103.235.46.96
    103.235.47.188

  • 8.8.8.8:53
    96.46.235.103.in-addr.arpa
    dns
    72 B
    160 B
    1
    1

    DNS Request

    96.46.235.103.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    www.aieov.com
    dns
    2024-12-11_a88746b6639efba9230dc8f19c710797_floxif_mafia.exe
    59 B
    251 B
    1
    1

    DNS Request

    www.aieov.com

    DNS Response

    72.14.185.43
    45.33.30.197
    45.56.79.23
    45.79.19.196
    198.58.118.167
    45.33.2.79
    45.33.23.183
    72.14.178.174
    45.33.20.235
    45.33.18.44
    173.255.194.134
    96.126.123.244

  • 8.8.8.8:53
    43.185.14.72.in-addr.arpa
    dns
    71 B
    111 B
    1
    1

    DNS Request

    43.185.14.72.in-addr.arpa

  • 8.8.8.8:53
    xz.sogou.com
    dns
    SogouSoftware.exe
    58 B
    90 B
    1
    1

    DNS Request

    xz.sogou.com

    DNS Response

    43.153.236.147
    43.153.249.87

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    147.236.153.43.in-addr.arpa
    dns
    73 B
    130 B
    1
    1

    DNS Request

    147.236.153.43.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    yze.t.sogou.com
    dns
    SogouSoftware.exe
    61 B
    120 B
    1
    1

    DNS Request

    yze.t.sogou.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

    Filesize

    232KB

    MD5

    0bc2d003fcfe3fa65f4c3ba7a015fa41

    SHA1

    72ed85bc1c57259b4f2ed36d16ce3fed4e30607c

    SHA256

    388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b

    SHA512

    ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24

  • C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll

    Filesize

    450KB

    MD5

    b1ce2dba9515e144908aa34ac77f5a46

    SHA1

    0a3e601eeba273a16d815c5e59793eb73db9daad

    SHA256

    5a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f

    SHA512

    d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a

  • C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll.tmp

    Filesize

    531KB

    MD5

    2182ab55681b16abc4c021d4fd834ff2

    SHA1

    7e8325a87061913ae8d275b58d5bd3bef77dfaff

    SHA256

    d6e584bcf0b6080a2e20d4c87e6b3cfe28a4f9ba63b3eb295d5ea46a6836fe29

    SHA512

    6c0994452cd0cb37a3775effa9feaf842890086f27a84c27bb9312564249c55560eac14f3f16f2ff86c10c76d60abf13160961fa902cbec1627404d73239e705

  • C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base

    Filesize

    53B

    MD5

    113136892f2137aa0116093a524ade0b

    SHA1

    a0284943f8ddfe69ceec90833e66d96bdf4a97f0

    SHA256

    ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02

    SHA512

    d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99

  • C:\Program Files\Common Files\System\symsrv.dll

    Filesize

    71KB

    MD5

    4fcd7574537cebec8e75b4e646996643

    SHA1

    efa59bb9050fb656b90d5d40c942fb2a304f2a8b

    SHA256

    8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

    SHA512

    7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

    Filesize

    471B

    MD5

    3447af79b32c96f76461d57d15e04e05

    SHA1

    f2aa90251a6917f1c2a9870c7979e0ec7c259c13

    SHA256

    b756809a53d52ec101a8d3adfc25ba3072ba9e8e5b766680eccff39cc6416dca

    SHA512

    d756bf9ea8aae68b9c69a6eca9a042cf9ef415fa3bb537c1deddeadab15fb806f3dce9cacb6e7c067201540480353cf541acddaf69e5f796b8f452404996f219

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

    Filesize

    398B

    MD5

    647e20f8bd8ad4f84b0dc66dbff0535c

    SHA1

    8329a282bc4b48fc79e0acc5498b688e08ba64bd

    SHA256

    0852d2ebde889ab961a995d0b93ad3fcd962ea1f8c5398b55bb2955cfd3e7333

    SHA512

    99dcf5393a29251ae969227d40cee949e95538429475c0c09bbe68b55f7364ab8d4c7267bcb2b8b1e79abf097a21a9b846ad56caad8208aa35fdb424ab04821d

  • C:\Users\Admin\AppData\Local\Temp\minidownload.exe

    Filesize

    1.9MB

    MD5

    0618e9851ea4a522abeded8d40c2f19e

    SHA1

    c6772967fdf545e32d28f3b46e97aec5b9ff99f5

    SHA256

    506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4

    SHA512

    b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f

  • memory/2228-100-0x0000000073340000-0x00000000733B8000-memory.dmp

    Filesize

    480KB

  • memory/2228-93-0x0000000073340000-0x00000000733B8000-memory.dmp

    Filesize

    480KB

  • memory/2228-102-0x0000000073340000-0x00000000733B8000-memory.dmp

    Filesize

    480KB

  • memory/2228-104-0x0000000073340000-0x00000000733B8000-memory.dmp

    Filesize

    480KB

  • memory/2228-110-0x0000000073340000-0x00000000733B8000-memory.dmp

    Filesize

    480KB

  • memory/2228-111-0x0000000073340000-0x00000000733B8000-memory.dmp

    Filesize

    480KB

  • memory/4916-87-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/4916-86-0x00000000002A0000-0x00000000004EA000-memory.dmp

    Filesize

    2.3MB

  • memory/4916-90-0x00000000002A0000-0x00000000004EA000-memory.dmp

    Filesize

    2.3MB

  • memory/4916-92-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/4916-7-0x00000000002A1000-0x00000000002A2000-memory.dmp

    Filesize

    4KB

  • memory/4916-4-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/4916-85-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.