sality | e75ba23462d89911fbabb34cbcec96e307d70bd7823c6646701209fb4a0f380e

General

Target

a419a4822c5d2068a08960d9d7a11401.exe
Size

364KB
MD5

a419a4822c5d2068a08960d9d7a11401
SHA1

180a06b1db80c65d9e12a9a5662f3cce1cf74c20
SHA256

e75ba23462d89911fbabb34cbcec96e307d70bd7823c6646701209fb4a0f380e
SHA512

338969e8c63f724e018ac081bf7e9f35de7f9b218c4e7abc08e3fc581ee8ff9b2746270c2510e640b86dcc5b53b5910be45812c7d733e0a371f3c0c7fd31aa1f
SSDEEP

6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgP3+ziylHgf5kBQGtd/WrybBs:EagCkDt+myJgRkLuWbErSI5

Score

10^/10

sality backdoor upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Executes dropped EXE 3 IoCs

Processes:

svchost.exea419a4822c5d2068a08960d9d7a11401.exesvchost.exe

pid process

1520 svchost.exe
5048 a419a4822c5d2068a08960d9d7a11401.exe
1924 svchost.exe

pid	process
1520	svchost.exe
5048	a419a4822c5d2068a08960d9d7a11401.exe
1924	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5048-137-0x0000000002260000-0x000000000331A000-memory.dmp	upx

Drops file in Program Files directory 38 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

a419a4822c5d2068a08960d9d7a11401.exe

description ioc process

File created C:\Windows\svchost.exe a419a4822c5d2068a08960d9d7a11401.exe

description	ioc	process
File created	C:\Windows\svchost.exe	a419a4822c5d2068a08960d9d7a11401.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a419a4822c5d2068a08960d9d7a11401.exesvchost.exe

description	pid	process	target process
PID 4664 wrote to memory of 1520	4664	a419a4822c5d2068a08960d9d7a11401.exe	svchost.exe
PID 4664 wrote to memory of 1520	4664	a419a4822c5d2068a08960d9d7a11401.exe	svchost.exe
PID 4664 wrote to memory of 1520	4664	a419a4822c5d2068a08960d9d7a11401.exe	svchost.exe
PID 1520 wrote to memory of 5048	1520	svchost.exe	a419a4822c5d2068a08960d9d7a11401.exe
PID 1520 wrote to memory of 5048	1520	svchost.exe	a419a4822c5d2068a08960d9d7a11401.exe
PID 1520 wrote to memory of 5048	1520	svchost.exe	a419a4822c5d2068a08960d9d7a11401.exe

C:\Users\Admin\AppData\Local\Temp\a419a4822c5d2068a08960d9d7a11401.exe
"C:\Users\Admin\AppData\Local\Temp\a419a4822c5d2068a08960d9d7a11401.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\a419a4822c5d2068a08960d9d7a11401.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\a419a4822c5d2068a08960d9d7a11401.exe
"C:\Users\Admin\AppData\Local\Temp\a419a4822c5d2068a08960d9d7a11401.exe"
3⤵
- Executes dropped EXE
PID:5048

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a419a4822c5d2068a08960d9d7a11401.exe
Filesize
328KB

MD5
c310734e4c09612be74a56a6ed7b7b58

SHA1
2c9b332b2483c070780faba7bb43c46223193e96

SHA256
9cb620aa0665e5e97884ea1e2dfed74cd8897f83e221f85b776c2cb1ebe31d7c

SHA512
53ea9433f763d58c4816639ef9b95c7c850c21298b8c27c0d0913b9926a67929936d271d5ec37428749a513ad16ee53e1c6e226cedd8de905b807afd71e5921b

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
memory/1520-132-0x0000000000000000-mapping.dmp

Download
memory/5048-135-0x0000000000000000-mapping.dmp

Download
memory/5048-139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-137-0x0000000002260000-0x000000000331A000-memory.dmp

Filesize
16.7MB

Download
memory/5048-140-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-141-0x0000000002260000-0x000000000331A000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads