General
-
Target
e268e1e00399203387feab47fd32b904a136b268a9ed01b901621fd2913500d3
-
Size
1.4MB
-
Sample
240508-mdx7qsab62
-
MD5
a8015f7c8e3f710e0de136f831e94ac8
-
SHA1
ab2bc965d1144725747753fc47e44332a5abfb82
-
SHA256
e268e1e00399203387feab47fd32b904a136b268a9ed01b901621fd2913500d3
-
SHA512
9a798e548dad57c2c7612ff8e3cc6961bdc245d5d1a334c790c8950b613f05fdd3a66f6e4a9e0684a011fb549d864b226614025500764cc3be0ace85dba8d77b
-
SSDEEP
24576:Ij8KjKjGFygcc23L1/NVOmOSGb6E3ecS4fzrjxJh9UZXlpbPvC7xtYUrEmFlo+Lc:JKjKWQc2b1FVgbjrjxPe1pbPSQm1FloS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Targets
-
-
Target
e268e1e00399203387feab47fd32b904a136b268a9ed01b901621fd2913500d3
-
Size
1.4MB
-
MD5
a8015f7c8e3f710e0de136f831e94ac8
-
SHA1
ab2bc965d1144725747753fc47e44332a5abfb82
-
SHA256
e268e1e00399203387feab47fd32b904a136b268a9ed01b901621fd2913500d3
-
SHA512
9a798e548dad57c2c7612ff8e3cc6961bdc245d5d1a334c790c8950b613f05fdd3a66f6e4a9e0684a011fb549d864b226614025500764cc3be0ace85dba8d77b
-
SSDEEP
24576:Ij8KjKjGFygcc23L1/NVOmOSGb6E3ecS4fzrjxJh9UZXlpbPvC7xtYUrEmFlo+Lc:JKjKWQc2b1FVgbjrjxPe1pbPSQm1FloS
Score10/10-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
7