General

  • Target

    db60cec98bc300e956e1247febe8635b1b9b1ef186a3da2c73527f2ec14a7f1c

  • Size

    124KB

  • Sample

    240609-d18sbada2z

  • MD5

    b32f165431529e97f3da577cb2dc69ad

  • SHA1

    91c5d2c70db3a482119dc1ec8a36a5d7bfec8550

  • SHA256

    db60cec98bc300e956e1247febe8635b1b9b1ef186a3da2c73527f2ec14a7f1c

  • SHA512

    6cd871dbeb29d6cc2d1fcf9816492a791b63fe144ee308984a200ff662155a4c4cc0f8bb1987e8f1e6fbd4345c982adaea0c80a32984e0b716d088bf102c0411

  • SSDEEP

    3072:cMxftffjmNfZM9+L/7MjKk8QAP+QxbZyRO68kYNt4O77Y:ZVfjmNfK9+Tk8u8bZIukHO77Y

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      db60cec98bc300e956e1247febe8635b1b9b1ef186a3da2c73527f2ec14a7f1c

    • Size

      124KB

    • MD5

      b32f165431529e97f3da577cb2dc69ad

    • SHA1

      91c5d2c70db3a482119dc1ec8a36a5d7bfec8550

    • SHA256

      db60cec98bc300e956e1247febe8635b1b9b1ef186a3da2c73527f2ec14a7f1c

    • SHA512

      6cd871dbeb29d6cc2d1fcf9816492a791b63fe144ee308984a200ff662155a4c4cc0f8bb1987e8f1e6fbd4345c982adaea0c80a32984e0b716d088bf102c0411

    • SSDEEP

      3072:cMxftffjmNfZM9+L/7MjKk8QAP+QxbZyRO68kYNt4O77Y:ZVfjmNfK9+Tk8u8bZIukHO77Y

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Tasks