sality | 44e02a5fc42081cf1897661ed76899a9ffb042bacee98f398c3c687a3f7e1547

General

Target

101d92081eedfdb8eb83bca5f5a0a4f9.exe
Size

364KB
MD5

101d92081eedfdb8eb83bca5f5a0a4f9
SHA1

99cd4c1fe4b960aad63db3062e70d5f1e7631dc2
SHA256

44e02a5fc42081cf1897661ed76899a9ffb042bacee98f398c3c687a3f7e1547
SHA512

cb34e6192bbacc5ed527cba63dfd9ce165505b31f107ee41d69672191726d22487cc2ccc4d0778dc3a72a2238efcbc76f9aac6ea4d6dc428c694424614671a39
SSDEEP

6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPpR2tif5kv29P1xBurgI97w5:EagCkDLRkv29txErHI5

Score

10^/10

sality backdoor upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Executes dropped EXE 3 IoCs

Processes:

svchost.exe101d92081eedfdb8eb83bca5f5a0a4f9.exesvchost.exe

pid process

3576 svchost.exe
1136 101d92081eedfdb8eb83bca5f5a0a4f9.exe
1580 svchost.exe

pid	process
3576	svchost.exe
1136	101d92081eedfdb8eb83bca5f5a0a4f9.exe
1580	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1136-138-0x00000000022A0000-0x000000000335A000-memory.dmp	upx

Drops file in Program Files directory 51 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

101d92081eedfdb8eb83bca5f5a0a4f9.exe

description ioc process

File created C:\Windows\svchost.exe 101d92081eedfdb8eb83bca5f5a0a4f9.exe

description	ioc	process
File created	C:\Windows\svchost.exe	101d92081eedfdb8eb83bca5f5a0a4f9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

101d92081eedfdb8eb83bca5f5a0a4f9.exesvchost.exe

description	pid	process	target process
PID 668 wrote to memory of 3576	668	101d92081eedfdb8eb83bca5f5a0a4f9.exe	svchost.exe
PID 668 wrote to memory of 3576	668	101d92081eedfdb8eb83bca5f5a0a4f9.exe	svchost.exe
PID 668 wrote to memory of 3576	668	101d92081eedfdb8eb83bca5f5a0a4f9.exe	svchost.exe
PID 3576 wrote to memory of 1136	3576	svchost.exe	101d92081eedfdb8eb83bca5f5a0a4f9.exe
PID 3576 wrote to memory of 1136	3576	svchost.exe	101d92081eedfdb8eb83bca5f5a0a4f9.exe
PID 3576 wrote to memory of 1136	3576	svchost.exe	101d92081eedfdb8eb83bca5f5a0a4f9.exe

C:\Users\Admin\AppData\Local\Temp\101d92081eedfdb8eb83bca5f5a0a4f9.exe
"C:\Users\Admin\AppData\Local\Temp\101d92081eedfdb8eb83bca5f5a0a4f9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\101d92081eedfdb8eb83bca5f5a0a4f9.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\101d92081eedfdb8eb83bca5f5a0a4f9.exe
"C:\Users\Admin\AppData\Local\Temp\101d92081eedfdb8eb83bca5f5a0a4f9.exe"
3⤵
- Executes dropped EXE
PID:1136

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\101d92081eedfdb8eb83bca5f5a0a4f9.exe
Filesize
328KB

MD5
9f009abad25beb2f7f530817718690b6

SHA1
60ea3f4e777603f35a22ff06945b5b56c508ed46

SHA256
51bbc3f3841292ca10fcb89b7433e8c8acc02fd0ca6371662c343fcfb1af8a1f

SHA512
6ef0f33a78b19b707be95dde480e2f2c4b9d8d2eca57eeea1628807cbefcd8de5991ad48311af182baaf1ee1c24a756a1a5712ffa83be379a00c61fe3e77fc25

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
memory/1136-135-0x0000000000000000-mapping.dmp

Download
memory/1136-138-0x00000000022A0000-0x000000000335A000-memory.dmp

Filesize
16.7MB

Download
memory/1136-139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3576-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads