Extracted

• • Target

    0fb4982a08f884109e39677dbb56b7264e9414b4e355dac6ffc3ceffaec8e433

  • Size

    467KB

  • MD5

    3a8a113bfc9fc3e4801a63dc959389d0

  • SHA1

    1a1656864e063e82836c2214faa054d2f8c751b4

  • SHA256

    0fb4982a08f884109e39677dbb56b7264e9414b4e355dac6ffc3ceffaec8e433

  • SHA512

    c39faea441e5c04474000ab3b95a4895fc3188b0eab5be611ae16a6d74b2c3da6e8ee4f31f7a7ed31fa205cbb233e3f66cbac562a9169293e40cbccf705fe70e

  • SSDEEP

    12288:LScmXucLwtfBWSQwg2CdZ4ghRaq5zzzzzsK6Rml:W3pw1BWfwpCd6ghpzzzzzsK6Yl

  Score

  10^/10

  salitybackdoorbootkitdiscoveryevasionpersistencetrojanupx

  • Modifies firewall policy service

    evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Registers COM server for autorun

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Uses Session Manager for persistence

    Creates Session Manager registry key to run executable early in system boot.

    persistence

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  behavioral1behavioral2