General
-
Target
89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff
-
Size
1.7MB
-
Sample
240522-c5yx8shh5y
-
MD5
76306394646f5a2bc1b61ded001f1b26
-
SHA1
781c36faafca1c6279cd60704a472d1503336408
-
SHA256
89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff
-
SHA512
6a234c69d1a6d18f2999350fb213dc29b7eca7987d76b99e78cc2c344159bcc52e28954c8ae44b7873af7b627292e9c33c9896c23d107847991064489e6c2dc6
-
SSDEEP
24576:k5xolYQY6qObJ97J2xc20J7pBD0aej1zj1SqdAGFQZIxpK545UJoeKYd:nY4RGk7pBwVRzjYq+ZI2a5UJoeH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff
-
Size
1.7MB
-
MD5
76306394646f5a2bc1b61ded001f1b26
-
SHA1
781c36faafca1c6279cd60704a472d1503336408
-
SHA256
89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff
-
SHA512
6a234c69d1a6d18f2999350fb213dc29b7eca7987d76b99e78cc2c344159bcc52e28954c8ae44b7873af7b627292e9c33c9896c23d107847991064489e6c2dc6
-
SSDEEP
24576:k5xolYQY6qObJ97J2xc20J7pBD0aej1zj1SqdAGFQZIxpK545UJoeKYd:nY4RGk7pBwVRzjYq+ZI2a5UJoeH
Score10/10-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies visiblity of hidden/system files in Explorer
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
UPX dump on OEP (original entry point)
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
10Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1