General

  • Target

    WPS_Setup.msi

  • Size

    264.2MB

  • Sample

    250630-yfsktassgt

  • MD5

    93fff25b09ca17daab0768d4805720a9

  • SHA1

    54ed82769147a141275419f335e25fa987fc10b0

  • SHA256

    8742b43b7c7e15fe42455850c0482b8c36f0bf58e71fa3e95a50947ade1a89b1

  • SHA512

    e90a2ec76eef11a606f2c2f90d79904b962eff1511fbc65a7e98a58c42e2961be94074b330779bdd0af8b0ba1dda7c1187ed990d6d790884aa131b181fae60a5

  • SSDEEP

    6291456:Qw5RSft/Qayo3iK5t4k7sKWGY3y/P0NS4X64feR7qNzsgQVRL+S:95RaVQpo3zuGY6PUS4XwFc8U

Malware Config

Targets

    • Target

      WPS_Setup.msi

    • Size

      264.2MB

    • MD5

      93fff25b09ca17daab0768d4805720a9

    • SHA1

      54ed82769147a141275419f335e25fa987fc10b0

    • SHA256

      8742b43b7c7e15fe42455850c0482b8c36f0bf58e71fa3e95a50947ade1a89b1

    • SHA512

      e90a2ec76eef11a606f2c2f90d79904b962eff1511fbc65a7e98a58c42e2961be94074b330779bdd0af8b0ba1dda7c1187ed990d6d790884aa131b181fae60a5

    • SSDEEP

      6291456:Qw5RSft/Qayo3iK5t4k7sKWGY3y/P0NS4X64feR7qNzsgQVRL+S:95RaVQpo3zuGY6PUS4XwFc8U

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v16

Tasks