General

  • Target

    436c10bd50b9ef6b557688e78f0385e6bcf805ba39c9187669ad0831a1f72321

  • Size

    3.0MB

  • Sample

    240610-c2t5wabe47

  • MD5

    5751dfe3132b6014b86b932277d828f4

  • SHA1

    04f1891908dc3255cc321359ba68d34bd07b8d2c

  • SHA256

    436c10bd50b9ef6b557688e78f0385e6bcf805ba39c9187669ad0831a1f72321

  • SHA512

    0406882eb0d4e311bbb9daabdf59f6f4f292a5285df22ad3a10ddf853a974d3bac40493e5e0b0015121be8f010a650a75510d6b8bcb0d235a174751db37c861e

  • SSDEEP

    49152:D6lhxiv21qo5iNYhPLop1exIoszDVKbYTyxIapoVe:DKULo5ieho1bXDVGxJpo

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      436c10bd50b9ef6b557688e78f0385e6bcf805ba39c9187669ad0831a1f72321

    • Size

      3.0MB

    • MD5

      5751dfe3132b6014b86b932277d828f4

    • SHA1

      04f1891908dc3255cc321359ba68d34bd07b8d2c

    • SHA256

      436c10bd50b9ef6b557688e78f0385e6bcf805ba39c9187669ad0831a1f72321

    • SHA512

      0406882eb0d4e311bbb9daabdf59f6f4f292a5285df22ad3a10ddf853a974d3bac40493e5e0b0015121be8f010a650a75510d6b8bcb0d235a174751db37c861e

    • SSDEEP

      49152:D6lhxiv21qo5iNYhPLop1exIoszDVKbYTyxIapoVe:DKULo5ieho1bXDVGxJpo

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks