General
-
Target
870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
-
Size
4.4MB
-
Sample
240518-3f9ljsdh5t
-
MD5
93bf1a918b8ea7bfd4d53f7f54de6282
-
SHA1
b8aea380163f1a82bee3b41d1042261c06f70e04
-
SHA256
870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
-
SHA512
ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066
-
SSDEEP
1536:MNyqVAb8dnlAUTFTgKDzRDVE4jt5HMCceGzcfdRTgYtSp1C7Sqbz67:sZVAIBlAUJTznR7qCVGzcf7g2Sq67
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
-
Size
4.4MB
-
MD5
93bf1a918b8ea7bfd4d53f7f54de6282
-
SHA1
b8aea380163f1a82bee3b41d1042261c06f70e04
-
SHA256
870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
-
SHA512
ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066
-
SSDEEP
1536:MNyqVAb8dnlAUTFTgKDzRDVE4jt5HMCceGzcfdRTgYtSp1C7Sqbz67:sZVAIBlAUJTznR7qCVGzcf7g2Sq67
Score10/10-
Modifies firewall policy service
-
Modifies visibility of file extensions in Explorer
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
UPX dump on OEP (original entry point)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9