Gootkit sample

https://pastebin.com/raw/krzPtYEb

My Online Security @dvk01uk #gootkit
https://twitter.com/dvk01uk/status/980835227554721803
https://www.hybrid-analysis.com/sample/c71b7e669e5c614551ccd7157785d3e0e0c79277c1b65a1ce90732bc8f87b430?environmentId=100

runs cpu up to high % , uses up to 7mb memory, then stops

------------
random file properties
------------
OriginalFilename,Ascend.exe
LegalTrademarks,Adobe Systems Incorporated Copyright ©. 1999 - 2014
file-description,Sexting Micrn Shuttle Specularmaterial Bitlocker Irowset

------------
interesting in-memory strings
------------
0x127d1c (11): mp3 (*.mp3)
0x54fa3f0 (72): /c ping localhost -n 4 & del /F /Q "
0x54fa44c (22): & move /Y "
0x54fa464 (20): .update" "
0x54fa47c (22): " > nul & "
0x54fa50c (18): MP3 file corrupted
0x556b430 (60): \SystemRoot\system32\mstsc.exe
0x556b4c8 (312): [Version]
signature = "$CHICAGO$"
[DefaultInstall]
RunPreSetupCommands = %s:2
0x55c957f (21): 1$1+161>1E1R1\1c1i1p1
04BAFB24  0030B168  "RandomListenPortBase"
04BAFB28  04BAFD3C  "6000"                      <-- securityintelligence.com blog says this is gootkit's default http proxy port
RunPreSetupCommands = xhkecdteryxu:2

-------------
interesting file contents [executable name].inf
-------------
[Version]
signature = "$CHICAGO$"
AdvancedINF = 2.5, "You need a new version of advpack.dll"

[DefaultInstall]
RunPreSetupCommands = xhkecdteryxu:2

[xhkecdteryxu]
C:\Users\Win732\Desktop\gootkit - Copy.exe


-------------------------
interesting api calls
-------------------------
0A759140 | 50                       | push eax                                | eax:"safenetssl.com"
0A759141 | FF 15 EC B2 76 0A        | call dword ptr ds:[<&gethostbyname>]    |

04DAF990  0030B368  L"GET"
04DAF994  0030B348  L"/rbody320"
0A759B75 | FF 15 CC B2 76 0A        | call dword ptr ds:[<&WinHttpOpenRequest |

0A75CB43 | 52                       | push edx                                | edx:L"https://safenetssl.com:80/"
0A75CB44 | FF 15 A8 B2 76 0A        | call dword ptr ds:[<&WinHttpCrackUrl>]  |

0A758754 | 8B 4D EC                 | mov ecx,dword ptr ss:[ebp-14]           | [ebp-14]:"securesslweb.com"
0A758757 | 51                       | push ecx                                | ecx:&"/rpersist4/%d"

0A760DB3 | 50                       | push eax                                | eax:L"C:\\Users\\xxx\\Desktop\\[executable].exe --vwxyz"
0A760DB4 | 6A 00                    | push 0                                  |
0A760DB6 | FF 15 0C B2 76 0A        | call dword ptr ds:[<&CreateProcessW>]   |

---------------
strings from ssl traffic
---------------
safenetssl.com.
...........................Y...U..;b...7__..-DFX..2E.S..=.0i....}. .$...w|.....7.CWi...vW..?1A.........
.................Q...M..J..G0..C0.... .........0
. *.H..
.....0f1.0 ..U....IA1.0
..U....unuvoo1.0...U.
..otufool1.0...U....cumee.cn1!0.. *.H..
. ...dootatojo@tehe.edu0..
180402212052Z.
180502212052Z0f1.0 ..U....IA1.0
..U....unuvoo1.0...U.
..otufool1.0...U....cumee.cn1!0.. *.H..
. ...dootatojo@tehe.edu0..0