Overview

overview

10

Static

static

3

1408_cn_V8...er.exe

windows7-x64

3

1408_cn_V8...er.exe

windows10-2004-x64

10

1408_cn_V8...er.exe

windows7-x64

3

1408_cn_V8...er.exe

windows10-2004-x64

10

1408_cn_V8...VR.exe

windows7-x64

3

1408_cn_V8...VR.exe

windows10-2004-x64

10

1408_cn_V8...lt.htm

windows7-x64

7

1408_cn_V8...lt.htm

windows10-2004-x64

1

1408_cn_V8...de.exe

windows7-x64

3

1408_cn_V8...de.exe

windows10-2004-x64

3

1408_cn_V8...ew.dll

windows7-x64

1

1408_cn_V8...ew.dll

windows10-2004-x64

1

1408_cn_V8...ew.exe

windows7-x64

3

1408_cn_V8...ew.exe

windows10-2004-x64

10

1408_cn_V8...rs.exe

windows7-x64

3

1408_cn_V8...rs.exe

windows10-2004-x64

10

1408_cn_V8...up.exe

windows7-x64

3

1408_cn_V8...up.exe

windows10-2004-x64

10

1408_cn_V8...20.sys

windows7-x64

1

1408_cn_V8...20.sys

windows10-2004-x64

1

1408_cn_V8...oo.exe

windows7-x64

3

1408_cn_V8...oo.exe

windows10-2004-x64

10

1408_cn_V8...lp.chm

windows7-x64

1

1408_cn_V8...lp.chm

windows10-2004-x64

1

1408_cn_V8...er.exe

windows7-x64

1

1408_cn_V8...er.exe

windows10-2004-x64

10

1408_cn_V8...��.doc

windows7-x64

4

1408_cn_V8...��.doc

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    53e8aef7fecc2ce5921a730c58941532_JaffaCakes118

  • Size

    5.8MB

  • Sample

    240518-kn7g2scc69

  • MD5

    53e8aef7fecc2ce5921a730c58941532

  • SHA1

    1c3bab5f783f897c4297ea55be97b583dd86878f

  • SHA256

    4f5c33b54a841bae7acb0e8216de5120a5b068ac60cfd158eca260d1f83cf067

  • SHA512

    51ada2e1c38412874e6a283db36a74f25bab08f007996d4c290aeeb41397bb67ab8c21d1c519dcd7f3942fae2f31e996069f24a8e2f13eba2c1661f3fbfe74b4

  • SSDEEP

    98304:mcWduY6v2hONLQc4+8o7O+JPu0jMH6pLTYsfR9F/gwOh40wLZAQlaUCEIIGS:mcWdL6vWORQcp81+Rv7BTnNo8FLSQlU+

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVP/Net Player.exe

    • Size

      2.5MB

    • MD5

      f9166494f1985a3eddba32daa0b5bcc2

    • SHA1

      5cc399423c3045ba0dae8d86d36eaf4f2c46813f

    • SHA256

      6126705a56b664f9f652e40eae03bc1c279e6dd9a31f47786099e70b84b55c87

    • SHA512

      36a9474af423f34a990ba108258a5e01bbeea04bedf78f837988df620a3cedb6619c53ffe330f541001e835b4fffe451a6814540ec64c37c47a44238842dbc63

    • SSDEEP

      24576:Yv0rfSlemjqiKz25Z4MP79SSeq0wnlY/p0o8QQQQQQQQQQVxpVVVVVVVVVVVVVVg:Ylko4MP79jeq0wnlY+oYxc/

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVR Player.exe

    • Size

      652KB

    • MD5

      ac92ddcd004d45551749cada041690da

    • SHA1

      7dab7a193f5b37a39fa97fa9aaef948b1bd3eced

    • SHA256

      c93ba430f498527e38cd144582eea82f535c1156c94ab8c42f113347cf94363e

    • SHA512

      e94af2a0e2e222f5867dca52fde601b88db2dbfc57dbc5b9a4318b2d22886da694eebbd8219ea12cdd9f05d7098b0ee74125d774fbd51addeec2069e6723475a

    • SSDEEP

      12288:yQHgAZ26oWvXP254EuWxkJWWWHLgW8WmWWWWUW3W2WWVXWWWWkWnWWWWWWWWWWWR:dHtZ26Dvf25GWxkJWWWHLgW8WmWWWWUP

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral3behavioral4

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVR/DVR.exe

    • Size

      96KB

    • MD5

      924329ec1dbf39d38db800125f32808e

    • SHA1

      421593985a6602cd73ab263d5669c168b8d37e1a

    • SHA256

      d4fb3aa593cc8c493aaa8ca767b8d8556e68ddfd15a3616422435d1c4ad735aa

    • SHA512

      bae62d29461215d985cd1852768994679512a8a8a0cb4dc69708efb6be979393512042c880b9fc6e6debfc34e1452a3b9d75cc3faff4642c07f4a48f7366bf1c

    • SSDEEP

      1536:CJsR4bLpoma63rPHhoC9JZPtqljS2ky4dWExgYJtp343gABiaO:Rioma67PHrojp4cEx5zNAXVO

    Score
    10/10
    salitybackdoorupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVR/default.htm

    • Size

      687B

    • MD5

      20b2ec88b2dc1a322630f41819597573

    • SHA1

      4516e2efdb502c59f50fcf931880c4501cff7341

    • SHA256

      eb38f066a2d6cfb8b816f48a40d11f2c7f7be6fcba26612bfcb537293a791544

    • SHA512

      86fc3cdae92a6e44bcabb1cf8af43b2a6b018adef8ba1eb311fac8d8b32e6d2e4fec266aa1819bb19f7f3e8ececb5f93f4e1aa9eb2dd2dca28c429972c437f67

    Score
    7/10

    • Loads dropped DLL

    • Program crash

    behavioral7behavioral8

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVR/encode.exe

    • Size

      4.1MB

    • MD5

      3cc71ec1f6b6b0751ce3d97e8ee78977

    • SHA1

      15261133c3fd7c7348a66d0acce90b034b1fe963

    • SHA256

      0a4199680b932764af6ab901f4afddf1bcbf57a42e8584ced1a5b45ceb900105

    • SHA512

      6ea848e7a430776bf8313fcce3edff58264c85ff88acbdde46f9a3eb03807039a479f1aefdc946f60351f0b1534848ad4ef57a51d4fb2e181c8d6d72e1502676

    • SSDEEP

      98304:ky/rd9r6yMIlv//ODotFGGGRYzwllbllFFFFQoiii4k0OllRll:k

    Score
    3/10
    behavioral10behavioral9

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVR/webview.dll

    • Size

      736KB

    • MD5

      6d50265fe4d14e0ddae1b73aed37e864

    • SHA1

      2505ef562b6861bc1189967c88e0453797a88df8

    • SHA256

      68da49bcd3c1105405297b5420ae86529aec7067d6cd8427d30be577cb6b9ced

    • SHA512

      61a6e63c20b10a8b9877f3d3590e06cf0f3f1d25ddd708fc5c4f135c899f212216612ef80b95c8d600d224ab080f50032a34db1281e34d2221f580db9d4949c9

    • SSDEEP

      6144:UwQOAxBfnUDiNk5jtgf9NVmXNcc4g9xHE4i/eXXeuQeewQee7QeesQeezPQeefQJ:TiNst49N+cczk//eOhE2522xjXW

    Score
    1/10
    behavioral11behavioral12

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVR/webview.exe

    • Size

      369KB

    • MD5

      1be52c06dd3a011195f4d94b596db7cc

    • SHA1

      5b1ef3df5d3d7476d8f641cce92a32eb5f6eceae

    • SHA256

      c5550f8bb9b7779ab499448000ea54022cf8866fb7924abfc97d9f91bc9db010

    • SHA512

      60fe7a59872f0b6420e2b5201b037221492cbfdefbcc64c6c9f403184e60c86ec792be9136609f8ee420b020800f3236d1f7a76f02e878f9bc2849b574a6c332

    • SSDEEP

      6144:BZuuObR8sVImcyYC5Jk2PM1fHLEm20M3vX6B/6FZ+gsRJyl4z1RDXDEL:uV+mzIdQm20MfG/AAml4/DIL

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral13behavioral14

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/InstallDrivers.exe

    • Size

      112KB

    • MD5

      df93c0f3e92b0cc60e59f60fae72cb48

    • SHA1

      24403e64913c5f61de9ff8d3f8390a2422b86660

    • SHA256

      cfadb80d6d57fc668959bfa6debb7b55cb058fc18a974efd2b0caf1dbc1c360d

    • SHA512

      65ff5224136ece78f15297a0a80aec0b18f14f2d9547d3f099e46f70c77813294e85499606f193aa0da677bf5a0ddeb5b538c8075e75eb3a1d7e4ca400902498

    • SSDEEP

      3072:eEukooRHLZU8nEpo+j9fDmmG3oJd+XqNOe:TRZzneoQ9f6mG4yfe

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral15behavioral16

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/Setup.exe

    • Size

      6.1MB

    • MD5

      ad5def7b4d6685fbd3ca1b54804ff2a0

    • SHA1

      ac303840cf6eaef3670400330e81c40cd21b55e2

    • SHA256

      1e113923ae4b006ef4a8102f110710cca92ff10c1940bd218a0eacbd9bc97e07

    • SHA512

      c3ca2ac7d35698c39db059c957da8eb3f6a18a1c6f5c5612d0ac506600c3abcecc6c1b48d6dcb0d149758d6d7d57589056e5526759d95996e11f4942679eadeb

    • SSDEEP

      49152:OmujQnm3XvHntgeMND47DnGKMMMMMMMMMRmJwD:OmujQnHKMMMMMMMMMRmU

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral17behavioral18

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/driver/cx25820.sys

    • Size

      15KB

    • MD5

      8c58999013735b2d61f1fefe0ac24173

    • SHA1

      4a9d0aadc16a4979ffd79d8639e040d8531a44a2

    • SHA256

      316e9e47ac6f794e06e5bfd44874a44bf729714e086ab02c5111cc4173cb3cee

    • SHA512

      858fa259dff9bd337e2ccf7bbd633319ab1d1b92266d53bd9da80f3dd178d4d1dbce5a80ff2cfc355d0c7de2c71fe3dc093d3ffe4e1dfee94707644f128cbbf9

    • SSDEEP

      384:ZbybVuFfNbz65fZlZJY63u8ZOppGdnLUdJP2m:ZmbVuNNbe5RhbFdnQdl

    Score
    1/10
    behavioral19behavioral20

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/foo.exe

    • Size

      304KB

    • MD5

      59555007edc2e58f84e02403b6524131

    • SHA1

      094aa76912fd62b3098617ed988c8b47529d1ebf

    • SHA256

      33fb93fce6f3e077a1bd82913cdbd14b50de9e5435db1aa2ecf344bd031ff5e4

    • SHA512

      522860b2cdfc1f5a2b38cfd5508d85557948bfc8762e302027b329bab49fc4b568b27d0cc5118bfd54ac60cdb3cd80545eb06e15ecaae93eeb55864e49cdf95f

    • SSDEEP

      3072:k/jazHf6wLjEVcatttttttnz/yikU+XNYvfxc+6o45qIQopTqJpmIA2ca2nBEx82:k/jMSSIz9f+XNOJLv45xRPETGjU78Eb

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral21behavioral22

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/help.chm

    • Size

      2.7MB

    • MD5

      c6490a71f177f7d1e71073b07e1602aa

    • SHA1

      d99557e3c974b39644735b7c09044faa9f97a9c2

    • SHA256

      9723fea474e074994288f6c3cdc2ab2e04a037c2112b93296e8e2ad7e166bf2a

    • SHA512

      186da897e91a48eef2737c2644cae7098ce55524acca48ba7fef5bf3b6e0fd6cbef70e53320209cbfcdbb4e22c04cc69ba99b38102cd149b1064fbe7d8dfbb1c

    • SSDEEP

      49152:DuYZ3pGdh2El4DIMn4NLQcl+A1c7lodqqpHhm+J6IV2xn0jMjTlM94kLRgPJWNvV:DuY6v2hONLQc4+8o7O+JPu0jMH6pLTY2

    Score
    1/10
    behavioral23behavioral24

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/merger.exe

    • Size

      92KB

    • MD5

      8cb4cef7b6e8d97562d187ac9866654a

    • SHA1

      0e66b235caa369ab5828759d730a3d4dede5bf9c

    • SHA256

      abf4cb484f09989ccfe05cbd470665b341c0eedcbc17e2232c237a3e202bfe3f

    • SHA512

      1edec7c3a4a1755db592226326411056d1c60e8a003ecb7024221db417f183b9d5202389fac63fd1ec209136c7477d3957b6a7c018188f957f841ab6773be9cc

    • SSDEEP

      1536:Mu/G4WXrx0ocGfVe/+/yP+aHleIn2kjwk9Cfo6hoie2mMlUo7nlgbzoSE:MxrSocGfVjabn2VkJEnljF

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral25behavioral26

    • Target

      1408_cn_V8.3.0.0/1408_cn_8.3.0.0/常见问题解决方法.doc

    • Size

      25KB

    • MD5

      834ac7aecbf4bd415d495b6c7ea34af5

    • SHA1

      1fe73d219fe12e449d6a5dc7993776849bb59896

    • SHA256

      85136ac4dbf3cc5aa6b28110fec6eb4642195c0f7835c927cba8b0e4ee8faec5

    • SHA512

      3ca542294521d9e4b67b3f7f312e921aa3e7f1a6c0902f1380643ed6b35ad999af26f9e4d0f76bbd5c2885df47451afb81fa99a28a41f2f427725fa07737d95a

    • SSDEEP

      96:qVlW08R0JMoZCgor0A+bDiU4aLCXP0M99hzlwV7ET1R468xLQ6p7eqp0SWcvrqBj:qV4gXw+PLKPVVwV77E6N0StvG8tu5S

    Score
    4/10
    behavioral27behavioral28

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

7
T1548

Bypass User Account Control

7
T1548.002

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

7
T1548

Bypass User Account Control

7
T1548.002

Impair Defenses

28
T1562

Disable or Modify Tools

21
T1562.001

Disable or Modify System Firewall

7
T1562.004

Modify Registry

31
T1112

Credential Access

Discovery

System Information Discovery

11
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

salitybackdoorevasiontrojanupx
Score
10/10

behavioral3

Score
3/10

behavioral4

salitybackdoorevasiontrojanupx
Score
10/10

behavioral5

Score
3/10

behavioral6

salitybackdoorupx
Score
10/10

behavioral7

Score
7/10

behavioral8

Score
1/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
3/10

behavioral14

salitybackdoorevasiontrojanupx
Score
10/10

behavioral15

Score
3/10

behavioral16

salitybackdoorevasiontrojanupx
Score
10/10

behavioral17

Score
3/10

behavioral18

salitybackdoorevasiontrojanupx
Score
10/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
3/10

behavioral22

salitybackdoorevasiontrojanupx
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

salitybackdoorevasiontrojanupx
Score
10/10

behavioral27

Score
4/10

behavioral28

Score
1/10