Static analysis of Goldenhelper Malware (Golden Tax malware)

Adetomiwa
2 min readFeb 4, 2022

“GoldenHelper” was discovered on July 14, 2020 embedded in Golden Tax Invoicing Software, an invoice issuing software used by Chinese banks. This malware variant seems to have been active between January 2018 and July 2019.

Fig 1.0: First bytes of malware sample
Fig 1.1: File header in PE studio

The following details were obtained from initial static analysis:

  • File-type: dynamic-link-library (.dll)
    CPU: 64-bit
    Subsystem: GUI
    Compiler-stamp: 0x5AB052C9 (Mon Mar 19 17:16:09 2018)
    Debugger-stamp: 0x5AB052C9 (Mon Mar 19 17:16:09 2018)
    File-size: 126464 (bytes)
  • Hashes:
    md5: 490D17A5B016F3ABC14CC57F955B49B3
    sha1: A1BB73F6581AB51457EB7160BE8EE4FB18916153
    sha256:A1AA0684813CFE9D7ED5C491C8AB132E5583B4FD02187FDAE8AA4D934D933F29
  • File path: F:\DLL\dll-client-0309\x64\Release\SvcDll.pdb

Embedded Strings.

PE Studio identified ~1870 strings, the following have been highlighted:

  • The following appear to be files that will be loaded during runtime
    http://%s/app/taxver[.]jpg
    http://%s/app/tps32[.]gif
    http://%s/data/msabs[.]dat
    http://%s/data/msabb[.]rar
    http://%s/data/tax32[.]zip…

--

--

Adetomiwa
Adetomiwa

Written by Adetomiwa

The adventures of the solitary talkative

No responses yet