General
-
Target
81080e6129580f31d41dba59ec69e8bef38736dfcc223d50a3b4aaccf711046f
-
Size
991KB
-
Sample
240522-cfzhgagg87
-
MD5
f0f6f5969c92b6bc9cc7b694e597980b
-
SHA1
693413456cb6af512950a84a6f0fa056b45e1099
-
SHA256
81080e6129580f31d41dba59ec69e8bef38736dfcc223d50a3b4aaccf711046f
-
SHA512
48782629c8c10676e15f0d3696cc2d498c6270204a7385072db0a69a2aaa6fa0b32f38ba93ac177a69494ca5d7e08c89e7c7a81e662bacc8902721a45d62d90f
-
SSDEEP
24576:bv2BLHSn6q1v8c5YNei+1ZC58vH8sSMv+WFzQa1bek:bxn316Nei+1ZCQ8sj+WF1N
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
81080e6129580f31d41dba59ec69e8bef38736dfcc223d50a3b4aaccf711046f
-
Size
991KB
-
MD5
f0f6f5969c92b6bc9cc7b694e597980b
-
SHA1
693413456cb6af512950a84a6f0fa056b45e1099
-
SHA256
81080e6129580f31d41dba59ec69e8bef38736dfcc223d50a3b4aaccf711046f
-
SHA512
48782629c8c10676e15f0d3696cc2d498c6270204a7385072db0a69a2aaa6fa0b32f38ba93ac177a69494ca5d7e08c89e7c7a81e662bacc8902721a45d62d90f
-
SSDEEP
24576:bv2BLHSn6q1v8c5YNei+1ZC58vH8sSMv+WFzQa1bek:bxn316Nei+1ZCQ8sj+WF1N
Score10/10-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Detects executables containing possible sandbox analysis VM usernames
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
UPX dump on OEP (original entry point)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3