General

  • Target

    7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b

  • Size

    120KB

  • Sample

    240522-by3r6sgb39

  • MD5

    423ebc006b6fcd8ec3b6a1fe5a167618

  • SHA1

    29e7e3dbdebf3f23a6cc2c7ff29c7677e8d2a6ec

  • SHA256

    7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b

  • SHA512

    9af7eb5354967a7e4aeb7ce2f89c5670ef1be06f52a50c46474abf0fed6e3a5a0b332bd88e5973b6a7c30c7311bcfb2ba3a90ccfb14250e13431646200f5334f

  • SSDEEP

    3072:Qh26F5ZpdPl0r4KDylytxN9UyIBI/RR0+ITIIL46TG:j6FPlW6yH/JITIIL46TG

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b

    • Size

      120KB

    • MD5

      423ebc006b6fcd8ec3b6a1fe5a167618

    • SHA1

      29e7e3dbdebf3f23a6cc2c7ff29c7677e8d2a6ec

    • SHA256

      7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b

    • SHA512

      9af7eb5354967a7e4aeb7ce2f89c5670ef1be06f52a50c46474abf0fed6e3a5a0b332bd88e5973b6a7c30c7311bcfb2ba3a90ccfb14250e13431646200f5334f

    • SSDEEP

      3072:Qh26F5ZpdPl0r4KDylytxN9UyIBI/RR0+ITIIL46TG:j6FPlW6yH/JITIIL46TG

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Tasks