General

  • Target

    2024-02-20_ae6b0d6747af6e8941e2b620daab8eae_magniber

  • Size

    3.5MB

  • Sample

    240220-gerhpacb4v

  • MD5

    ae6b0d6747af6e8941e2b620daab8eae

  • SHA1

    229f177f2cc869755b9fdbeb885f35103de20162

  • SHA256

    4cb9f5674ec4597b651ee14c8999badaa76429f7c26ca81296b7c09569899ba9

  • SHA512

    cdf410ff32d3aad3ce8a5289aa7fd0492ef99f3de53201ba13375e4bfc873404a44a837a42cb138ec96fd3142bc03da5ba59035bf4d626146bf27c3c10f61e01

  • SSDEEP

    49152:UV7NOj20EwwqPPyvm1K61W6v/+HndvR/49IHY4v/:UFhwwil2Hndv

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      2024-02-20_ae6b0d6747af6e8941e2b620daab8eae_magniber

    • Size

      3.5MB

    • MD5

      ae6b0d6747af6e8941e2b620daab8eae

    • SHA1

      229f177f2cc869755b9fdbeb885f35103de20162

    • SHA256

      4cb9f5674ec4597b651ee14c8999badaa76429f7c26ca81296b7c09569899ba9

    • SHA512

      cdf410ff32d3aad3ce8a5289aa7fd0492ef99f3de53201ba13375e4bfc873404a44a837a42cb138ec96fd3142bc03da5ba59035bf4d626146bf27c3c10f61e01

    • SSDEEP

      49152:UV7NOj20EwwqPPyvm1K61W6v/+HndvR/49IHY4v/:UFhwwil2Hndv

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks