General

  • Target

    2024-02-18_f3a99faf0b6b24a8ce136a67cf1c7c3c_magniber

  • Size

    1.1MB

  • Sample

    240218-p46mxaab91

  • MD5

    f3a99faf0b6b24a8ce136a67cf1c7c3c

  • SHA1

    1ad1748c5b525caa71cf5b029371895d21191eab

  • SHA256

    ffa724f8eb4f9c8521c99372da9b7ba0137d7b60b3406275c26f8e0400b3be73

  • SHA512

    34b5263a5a459911d88bf828d56f1d89d15c28cacfb7ed0c188a1d19e3e83b0f9f1ea45e4793ebba838273b9d9435c31531892c007f42c992c5c770ecfac5a6e

  • SSDEEP

    24576:g97CreN7inwWTHeIDUpuNIHsARhlUw6C5E+VzP9qEAipxBz:g97NI9UpuyHsAdbvE+d8YxJ

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      2024-02-18_f3a99faf0b6b24a8ce136a67cf1c7c3c_magniber

    • Size

      1.1MB

    • MD5

      f3a99faf0b6b24a8ce136a67cf1c7c3c

    • SHA1

      1ad1748c5b525caa71cf5b029371895d21191eab

    • SHA256

      ffa724f8eb4f9c8521c99372da9b7ba0137d7b60b3406275c26f8e0400b3be73

    • SHA512

      34b5263a5a459911d88bf828d56f1d89d15c28cacfb7ed0c188a1d19e3e83b0f9f1ea45e4793ebba838273b9d9435c31531892c007f42c992c5c770ecfac5a6e

    • SSDEEP

      24576:g97CreN7inwWTHeIDUpuNIHsARhlUw6C5E+VzP9qEAipxBz:g97NI9UpuyHsAdbvE+d8YxJ

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks