sality

Sharing

Copy URL

Twitter E-mail

General

Target

XIN-XIES.rar
Size

6.0MB
Sample

220918-b6g6faeeen
MD5

ad47a32a5dcca65ab4e96ac5d425cd2a
SHA1

29cf7f93752024e9aa0070cf22c3c6e8858f4fb2
SHA256

0994bacabba34499288c55d9568f4e73a2c5bef849fde42fc03052bf63948e57
SHA512

c20cd6d8da0d36be35c53d438ad8aa6684ba06341285f96fca062990f50c541bcc4887d65c05de0cdc9609f748a09fa0df3acf6f5097b7be62aeaed4433d898f
SSDEEP

196608:FRx66pbR0aBpOBw5398q4sSEA1FHarSKlm:LxB0aBpis398lsSndf

Score

10^/10

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

- Target
  
  XISE WBMS 2020官方正版.exe
- Size
  
  4.0MB
- MD5
  
  a47caab73754524cc784192093c20e29
- SHA1
  
  e51864c3b164629bc1fc37b45fee5681dc8acacb
- SHA256
  
  aac091f5d270dc494cb1730c74d6568a3bc4eef593f7de539bf258acebaa46d0
- SHA512
  
  b6e06a55208fbeb74fa281666366bd88a2c62a52fa501e08d8deeed16ecf9c703fee477a9920da05e38be6a8946045024a4d398135fcc986a5294690cfef2292
- SSDEEP
  
  98304:Hnsmtk2aakvWib3jEvh6TnA20+eYiwgyvraKFt:HLab3o56TA20nAdu8t
Score

10^/10

sality backdoor evasion persistence trojan upx
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2
- Target
  
  fz.dat
- Size
  
  808KB
- MD5
  
  bf59424bc6cce2bbf12b1ba84b6f2ae2
- SHA1
  
  1b4d6200d22a063fc2c6b4043fe568ffd6dc2057
- SHA256
  
  6df2763332209ba83ed38800541dda57a5bc605398083c8d3dc9797adc6639b2
- SHA512
  
  74974ed00e35793d8af6dce4655aebe93999037e23650264359dbc15b99e98135b30d5ca7dbf3f61e94fc1cac87c038bd3a728a56326520e4d7315bc87971a85
- SSDEEP
  
  12288:2mLrKI5p+OO+maTckE6rjR4QYoXXsqFzzG5a65qhWlC:2mPtObMznjRbYw8Z5aWC
Score

3^/10
behavioral3 behavioral4
- Target
  
  jiaoben/zhu/asp/1.asp
- Size
  
  1B
- MD5
  
  c4ca4238a0b923820dcc509a6f75849b
- SHA1
  
  356a192b7913b04c54574d18c28d46e6395428ab
- SHA256
  
  6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
- SHA512
  
  4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
Score

3^/10
behavioral5 behavioral6
- Target
  
  xise/XISE 菜刀管理7.9.exe
- Size
  
  3.5MB
- MD5
  
  96982ad9d89aed47ae7745e629ac5e94
- SHA1
  
  a38cd9ca46a12465e167fa4e142566dcbacd52c0
- SHA256
  
  1af112aa05fff8e947f7d0736bbd22b103bfaeadaf8df008d0a8420399411f36
- SHA512
  
  1a9711e65786155e1e6f263d3d1871a44e4c4465ea7497996dbab5ae4fb95241bcb47c4f9e5fcb3a924fc31d547ecbb9ee2eecbc5ea551c8005688976f7b256a
- SSDEEP
  
  49152:pnsHyjtk2MYC5GDBBV14O01+D/PO+pC6x692Aa+36/jOk:pnsmtk2aqVmOC+D/PO+pC6x69ja+Gjj
Score

10^/10

sality backdoor evasion persistence trojan upx
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral7 behavioral8
- Target
  
  xise/jiaoben/ASPhorse.asp
- Size
  
  35KB
- MD5
  
  8330837c17352cc2727e9d164ed09fec
- SHA1
  
  883a578ca2fc2004fcc0a56787681af3e9c2de9b
- SHA256
  
  de81c225745fbd20606ee0536975cdb1e6d2f338c021d821bd473d4ee531bcec
- SHA512
  
  a2c6bdc9b0467301d98f3d289b6b8f6b8c47ee497c6449efb2be71a4140299d15f213df2c63c745f55f3680f514249443ea48d35c625368a51eb16e15175c5b7
- SSDEEP
  
  384:Rplc/R+X4WiXMVk5wIBGXpn8G0KXz7frpAPrZQ+BGvwjKfwWufBAvt3E2olfEVf/:RplwI4Cr/T+z7BswrWxWfEVfe9/BZDHM
Score

1^/10
behavioral9 behavioral10
- Target
  
  xise/jsc.dat
- Size
  
  36KB
- MD5
  
  5cab78922b94fa154a0bd75ac4e6ca44
- SHA1
  
  0d98aa34abef8092dbd3547b8626cf191597a3b8
- SHA256
  
  a69c50195ebbd41e5fe11f98d59ebc81df736ddf0b0c8571bd9bb7d2642bd68f
- SHA512
  
  340174f974090de6698ee26661584629c1ef5e629eae789c6facf8aa5ddf162fead57d6a654660a936c02e9158416e842f55a898c8f4b0dda808b0a8ca4d50b9
- SSDEEP
  
  384:5UIBq7yFryaMI8nKWWpTU2gQdDuqMapK7a/CQgYJN6RlsnED3WyLOMDlQqDQs:mmaF5KJlVgwuqLmblsneJL75Es
Score

3^/10
behavioral11 behavioral12

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies firewall policy service

UAC bypass

Windows security bypass

UPX packed file

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Modifies firewall policy service

Sality

UAC bypass

Windows security bypass

UPX packed file

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12