General

  • Target

    80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe

  • Size

    132KB

  • Sample

    240522-3ngkqsdd9y

  • MD5

    6e61786732b6f48298ece472af802c25

  • SHA1

    89a1e36c6e7451081cca20351c2aac9c4c2672f8

  • SHA256

    80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe

  • SHA512

    1aa19e7c6cc18e653653ec5efd0ca86b045ff38efd4c92b89ba071cdf9434704d31278b7df922790a2242640e5ddfbec95e14d2f76613702bf73a5f95d99a220

  • SSDEEP

    1536:DJf83W8W60IL26Ap8iJySzlme3pUy3TDq+NcawHbNBleOD6MlSoUljObrEF8EX4n:DJCD548iJHxfq+Ncaw3fuOUhPm+N

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe

    • Size

      132KB

    • MD5

      6e61786732b6f48298ece472af802c25

    • SHA1

      89a1e36c6e7451081cca20351c2aac9c4c2672f8

    • SHA256

      80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe

    • SHA512

      1aa19e7c6cc18e653653ec5efd0ca86b045ff38efd4c92b89ba071cdf9434704d31278b7df922790a2242640e5ddfbec95e14d2f76613702bf73a5f95d99a220

    • SSDEEP

      1536:DJf83W8W60IL26Ap8iJySzlme3pUy3TDq+NcawHbNBleOD6MlSoUljObrEF8EX4n:DJCD548iJHxfq+Ncaw3fuOUhPm+N

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

7
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Tasks