General
-
Target
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213
-
Size
157KB
-
Sample
240417-w74faabe9s
-
MD5
04739948ba1b0e0e5a36913914a19dae
-
SHA1
2c1622b237e6ea49a5297f3060d9b216a0760b32
-
SHA256
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213
-
SHA512
811caf83ce7b583b720612f9e5c989726727804ae0af9c730fe0f8c46078ac0cea4e1bd0cfeb88cd8501de970a87771a9af9bcb53d6e4e6af4777d2f968894f5
-
SSDEEP
3072:xeZUO+PHKrXl0CFh5mlhQ+Z/KuSWviHJjqGXer4:xyd+P8CCFPmlq+IbhX04
Malware Config
Extracted
phorphiex
http://185.215.113.66/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213
-
Size
157KB
-
MD5
04739948ba1b0e0e5a36913914a19dae
-
SHA1
2c1622b237e6ea49a5297f3060d9b216a0760b32
-
SHA256
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213
-
SHA512
811caf83ce7b583b720612f9e5c989726727804ae0af9c730fe0f8c46078ac0cea4e1bd0cfeb88cd8501de970a87771a9af9bcb53d6e4e6af4777d2f968894f5
-
SSDEEP
3072:xeZUO+PHKrXl0CFh5mlhQ+Z/KuSWviHJjqGXer4:xyd+P8CCFPmlq+IbhX04
Score10/10-
Modifies firewall policy service
-
Modifies security service
-
Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
UPX dump on OEP (original entry point)
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3