General

  • Target

    307ae20135569c40cb81f59439435120_NeikiAnalytics.exe

  • Size

    120KB

  • Sample

    240522-qg979acf58

  • MD5

    307ae20135569c40cb81f59439435120

  • SHA1

    7bcc3bfc50c6fe7c1bb9e8a426cc6c7ed42d413c

  • SHA256

    58df822db4951c4f3478ffa26f48e6edbbc0b2abf85117822f62d58139a657b2

  • SHA512

    1b124c9a8ac9e1c3e79f9efe12d4981e155792b19c34e510bbfa9737fc0981e5555f1495c38c684d34a02d2da78bc2fe33a709e909529627d266dc7a11b33dc8

  • SSDEEP

    1536:iTDoLpkUDESZ2mE1/rhv9bSE3x5s+5UY5jpP2Jlwly9/4+lB2kD:ysLGUDijRJwMPwV9A+lB/

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      307ae20135569c40cb81f59439435120_NeikiAnalytics.exe

    • Size

      120KB

    • MD5

      307ae20135569c40cb81f59439435120

    • SHA1

      7bcc3bfc50c6fe7c1bb9e8a426cc6c7ed42d413c

    • SHA256

      58df822db4951c4f3478ffa26f48e6edbbc0b2abf85117822f62d58139a657b2

    • SHA512

      1b124c9a8ac9e1c3e79f9efe12d4981e155792b19c34e510bbfa9737fc0981e5555f1495c38c684d34a02d2da78bc2fe33a709e909529627d266dc7a11b33dc8

    • SSDEEP

      1536:iTDoLpkUDESZ2mE1/rhv9bSE3x5s+5UY5jpP2Jlwly9/4+lB2kD:ysLGUDijRJwMPwV9A+lB/

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Tasks