Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe

  • Size

    368KB

  • Sample

    231103-ckmdpsad6w

  • MD5

    693c14bc43b49bae8d393fe1c5a51300

  • SHA1

    445c720c5628b40e9bc90b846873b1b79289da10

  • SHA256

    5b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450

  • SHA512

    55f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2

  • SSDEEP

    3072:zo4L5tpV+CSA1AAPoCpxW5ATBfUNjpS1svkTVC9FieYTTLprx/m3qT4S826guKqu:FtpvoCpcNQ1jQdiG/2UzuEP/Nnrry

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe

    • Size

      368KB

    • MD5

      693c14bc43b49bae8d393fe1c5a51300

    • SHA1

      445c720c5628b40e9bc90b846873b1b79289da10

    • SHA256

      5b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450

    • SHA512

      55f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2

    • SSDEEP

      3072:zo4L5tpV+CSA1AAPoCpxW5ATBfUNjpS1svkTVC9FieYTTLprx/m3qT4S826guKqu:FtpvoCpcNQ1jQdiG/2UzuEP/Nnrry

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Adds policy Run key to start application

    • Drops file in Drivers directory

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies system executable filetype association

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks