GoldenSpy Chapter 5 : Multiple GoldenSpy Uninstaller Variants Discovered
Tags
Common Information
| Type | Value |
|---|---|
| UUID | cbf402be-42c3-4344-b1fa-b9922ec41825 |
| Fingerprint | d05409af097f2f7d |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Aug. 17, 2020, midnight |
| Added to db | Sept. 11, 2022, 12:30 p.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | SpiderLabs Blog |
| Title | GoldenSpy Chapter 5 : Multiple GoldenSpy Uninstaller Variants Discovered |
| Detected Hints/Tags/Attributes | 42/3/61 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | File | 1 | truck.exe |
|
| Details | File | 1 | trueqdf.exe |
|
| Details | File | 2 | svm.exe |
|
| Details | File | 2 | svmm.exe |
|
| Details | md5 | 1 | 735ac19b261dc66d5850bea21f3d54fe |
|
| Details | md5 | 1 | f2a7363cf43b5900bb872b0d4c627a48 |
|
| Details | md5 | 1 | f52cc72959e7ed51c75d0b7f6b8611c0 |
|
| Details | md5 | 1 | 08f803140ee607a12b15dca97df5864f |
|
| Details | md5 | 1 | 573adb1569a08472094f0cfbb6264360 |
|
| Details | md5 | 1 | 429a1c5756efaab8af3bcee37cccc31f |
|
| Details | md5 | 1 | ddd85c9c8ec325bc2accce4365cb40de |
|
| Details | md5 | 1 | eb98b268164e405ba761eee87565d936 |
|
| Details | md5 | 1 | cc37004f5a1903523657810edb45272e |
|
| Details | md5 | 1 | 72cd43dc5ad0e55f6d26998ac62645e0 |
|
| Details | md5 | 1 | 568042d040ed7fbbb802d847ef614a4d |
|
| Details | md5 | 1 | ed9ec3aec2e8aac13e5d3971f0d56d89 |
|
| Details | md5 | 1 | a07ebcc316c49c6bbdf0a8d91bf4c546 |
|
| Details | md5 | 1 | c8342bbfadc6fb78ea00480e3f8d66e8 |
|
| Details | md5 | 1 | a4e39f608731d31fbcc17d98a3ec8508 |
|
| Details | md5 | 1 | ab43e4815f1f6cf6d4ef1f7a5334d1ac |
|
| Details | md5 | 1 | ba7cce6da078c2825b05ee305773edb6 |
|
| Details | md5 | 1 | 1484a597aee4850fcf13faac8f382a5c |
|
| Details | md5 | 1 | 57af01112f6e277c69150f6d5fba51a9 |
|
| Details | md5 | 1 | 89e0b5e36a384eba8fb269b1da587f09 |
|
| Details | md5 | 1 | aa3bc5d04e4daaa641dad4a16dba3df9 |
|
| Details | md5 | 1 | 7fed28a7623fe421a732d538e87189f4 |
|
| Details | md5 | 1 | 037fa9c57f9f9c62f12927fe44761408 |
|
| Details | md5 | 1 | 98818a0b268419a1ea652dd95d9437e1 |
|
| Details | md5 | 1 | 3500ee24b14f7c203a360442b680a1d7 |
|
| Details | IPv4 | 1 | 39.98.110.234 |
|
| Details | IPv4 | 1 | 222.186.130.200 |
|
| Details | IPv4 | 2 | 223.112.21.2 |
|
| Details | IPv4 | 1 | 218.94.149.58 |
|
| Details | IPv4 | 1 | 120.53.238.96 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 433 | T1057 |
|
| Details | MITRE ATT&CK Techniques | 501 | T1012 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 238 | T1497 |
|
| Details | Url | 1 | http://www.nbdigit.com |
|
| Details | Url | 1 | http://www.nbdigit.com/download/qdftools.exe |
|
| Details | Url | 1 | http://www.nbdigit |
|
| Details | Url | 2 | http://www.ningzhidata.com:9006 |
|
| Details | Url | 1 | http://222.186.130.200:9006/download |
|
| Details | Url | 1 | http://223.112.21.2:8090/download |
|
| Details | Url | 1 | http://218.94.149.58:8090/download |
|
| Details | Domain | 3 | ningzhidata.com |
|
| Details | Domain | 1 | www.nbdigit.com |
|
| Details | Domain | 2 | www.ningzhidata.com |
|
| Details | File | 36 | zhudongfangyu.exe |
|
| Details | File | 1 | qdftools.exe |
|
| Details | File | 1 | iclient.exe |
|
| Details | File | 1 | awx.exe |
|
| Details | File | 1 | bwxt.exe |
|
| Details | File | 1 | yund.exe |
|
| Details | File | 5 | asd.exe |
|
| Details | File | 1 | envclean.exe |
|
| Details | Url | 1 | http://120.53.238.96:8090/download |
|
| Details | Url | 1 | http://39.98.110.234:8111/download |
|
| Details | Url | 1 | http://www.nbdigit.com/download/iclient.exe |
|
| Details | Yara rule | 1 | rule Goldenspy_Uninstaller {
meta:
author = "SpiderLabs"
malware_family = "GoldenSpy"
filetype = "exe_dll"
version = "4.0"
strings:
$str1 = "taskkill /IM svm.exe /IM svmm.exe /F"
$str2 = "\\svm.exe -stopProtect"
$str3 = "\\svmm.exe -u"
$str4 = "\\VCProject\\dgs\\Release\\"
$str5 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\svm"
$str6 = "\\svmm.exe -stopProtect"
$str7 = "\\svm.exe -u"
$str8 = "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\svm.exe"
$str9 = "dGFza2tpbGwgL0lNIHN2bS5leGUgL0lNIHN2bW0uZXhlIC9GIA"
$str10 = "c3ZtLmV4ZSAtc3RvcFByb3RlY3Q"
$str11 = "XHN2bW0uZXhlIC11"
$str12 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXHN2bQ"
$str13 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cQXBwIFBhdGhzXHN2bS5leGU"
$str14 = "XHN2bS5leGUgLXU"
$str15 = "c3ZtbS5leGUgLXN0b3BQcm90ZWN0"
$str16 = { 49 51 53 8B CE E8 [0-10] 8D 4C 24 24 [0-10] 8D 44 24 3C [0-4] 68 [0-20] 83 C4 08 8B 50 04 C6 44 24 74 04 }
$str17 = { 53 55 56 57 8D 4C 24 14 [0-10] 8D 44 24 2C 68 [0-10] 50 C7 44 24 7C [0-10] 83 C4 08 8B 70 04 C6 44 24 [0-50] 8B FE 83 C9 FF 33 C0 }
condition:
(uint16(0) == 0x5A4D) and 4 of ($str*)
} |