General

  • Target

    2024-02-16_169b091feff0c744992edde095fee9d3_icedid

  • Size

    1.2MB

  • Sample

    240216-lpx6fagc23

  • MD5

    169b091feff0c744992edde095fee9d3

  • SHA1

    d00a87d58ed0f42cdb9fc11d892ec4574b0fa4a6

  • SHA256

    f01df47d0f320ee0bd5be14b6481ec0cf67436635ab8832ea83b9063dc976c46

  • SHA512

    78f0530fbd58f183e44e0b87c1b1143a610c8e1ee4d40c30d94c5afc9fd9f76b9380875409b634c2b7ff5fadb9d1081cbb8c2c67ac2f21058933d113a24fe6ff

  • SSDEEP

    24576:3kErzrxKvffdD7+EHL0Yxtcg3Pg/gDHkj1nzqTG51ksc:3GvAErrV3Pg/EH41nzBksc

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      2024-02-16_169b091feff0c744992edde095fee9d3_icedid

    • Size

      1.2MB

    • MD5

      169b091feff0c744992edde095fee9d3

    • SHA1

      d00a87d58ed0f42cdb9fc11d892ec4574b0fa4a6

    • SHA256

      f01df47d0f320ee0bd5be14b6481ec0cf67436635ab8832ea83b9063dc976c46

    • SHA512

      78f0530fbd58f183e44e0b87c1b1143a610c8e1ee4d40c30d94c5afc9fd9f76b9380875409b634c2b7ff5fadb9d1081cbb8c2c67ac2f21058933d113a24fe6ff

    • SSDEEP

      24576:3kErzrxKvffdD7+EHL0Yxtcg3Pg/gDHkj1nzqTG51ksc:3GvAErrV3Pg/EH41nzBksc

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks