General

  • Target

    c1478329d6393ffbdcc14cd5d1aafba0bc99c5be406b6f6386d26bf81a0f0726

  • Size

    1.8MB

  • Sample

    240609-d5s8esda8w

  • MD5

    b2bd3f5b99a0b66b773baf2f18f252b7

  • SHA1

    a6f0de6800201991da6646bbc16de5d57cff3981

  • SHA256

    c1478329d6393ffbdcc14cd5d1aafba0bc99c5be406b6f6386d26bf81a0f0726

  • SHA512

    046cb8805946ddc676eb53dfd17d724d0172b22921829614454b8207aab20391a67d083ad32bcfe429b4367c68205dc155ac50ea30c01d6b06973fb906757b05

  • SSDEEP

    49152:kZT5CInmYNCx9Y6XUTUGC/Tz8EE/Tz8ELQv9QbIsk+v/gC:OdCInmYNCx9YMGCn8EEn8E6Q8sv

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      c1478329d6393ffbdcc14cd5d1aafba0bc99c5be406b6f6386d26bf81a0f0726

    • Size

      1.8MB

    • MD5

      b2bd3f5b99a0b66b773baf2f18f252b7

    • SHA1

      a6f0de6800201991da6646bbc16de5d57cff3981

    • SHA256

      c1478329d6393ffbdcc14cd5d1aafba0bc99c5be406b6f6386d26bf81a0f0726

    • SHA512

      046cb8805946ddc676eb53dfd17d724d0172b22921829614454b8207aab20391a67d083ad32bcfe429b4367c68205dc155ac50ea30c01d6b06973fb906757b05

    • SSDEEP

      49152:kZT5CInmYNCx9Y6XUTUGC/Tz8EE/Tz8ELQv9QbIsk+v/gC:OdCInmYNCx9YMGCn8EEn8E6Q8sv

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Tasks