General
-
Target
43ea7d6299dc407353563f685e6ef9658fd05df8ecfa958f763a6e06da492f99
-
Size
120KB
-
Sample
240521-1wk7sabg29
-
MD5
d8b1e29cafd3942be35c1e628f0c3d71
-
SHA1
a3f334a243ecf73d33d5e6459894f228be71e7ab
-
SHA256
43ea7d6299dc407353563f685e6ef9658fd05df8ecfa958f763a6e06da492f99
-
SHA512
b0c2ffa4a268ced458067837e2c24eb88e4cf3532930e013dee25a8b37ea4b0d354918fe823f403fe738dc6e37a1d6d8a2f5eac34ef02ddba14e16658d01bb7b
-
SSDEEP
3072:tYtZLGa/JxU3qLwJigbvdOTaHaQMt39jsveTFR:ijP/KqLXzNjsvc
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Targets
-
-
Target
43ea7d6299dc407353563f685e6ef9658fd05df8ecfa958f763a6e06da492f99
-
Size
120KB
-
MD5
d8b1e29cafd3942be35c1e628f0c3d71
-
SHA1
a3f334a243ecf73d33d5e6459894f228be71e7ab
-
SHA256
43ea7d6299dc407353563f685e6ef9658fd05df8ecfa958f763a6e06da492f99
-
SHA512
b0c2ffa4a268ced458067837e2c24eb88e4cf3532930e013dee25a8b37ea4b0d354918fe823f403fe738dc6e37a1d6d8a2f5eac34ef02ddba14e16658d01bb7b
-
SSDEEP
3072:tYtZLGa/JxU3qLwJigbvdOTaHaQMt39jsveTFR:ijP/KqLXzNjsvc
Score10/10-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
UPX dump on OEP (original entry point)
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3