General

  • Target

    f3ccec8231b6aa0375afe0f0ca4787f731ac804b568520249fe64b997da5f01b

  • Size

    167KB

  • Sample

    240611-fp6jxswcrm

  • MD5

    c6d5be39207461cac5072aa35ccb304d

  • SHA1

    d9e91bd8a6d61251e6f2d0f102cdeb0d7af3a6e6

  • SHA256

    f3ccec8231b6aa0375afe0f0ca4787f731ac804b568520249fe64b997da5f01b

  • SHA512

    35e5c21195b6f695c5c041e0c2defb733554e1b6b028c3b6ec95aa509953d17bc28c51847abadcef2700a53fc7fb5a9edc4f788b0c5ac2f1e47112a59f336f87

  • SSDEEP

    3072:W6g3/uKUu8QZyF+mKdtsLBa4pOr+j3z1SE7JlA9NPrkIZHRjlZy95ug:WR3vUvQGx3Lo4pO6jDf7k7P5Py4g

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      f3ccec8231b6aa0375afe0f0ca4787f731ac804b568520249fe64b997da5f01b

    • Size

      167KB

    • MD5

      c6d5be39207461cac5072aa35ccb304d

    • SHA1

      d9e91bd8a6d61251e6f2d0f102cdeb0d7af3a6e6

    • SHA256

      f3ccec8231b6aa0375afe0f0ca4787f731ac804b568520249fe64b997da5f01b

    • SHA512

      35e5c21195b6f695c5c041e0c2defb733554e1b6b028c3b6ec95aa509953d17bc28c51847abadcef2700a53fc7fb5a9edc4f788b0c5ac2f1e47112a59f336f87

    • SSDEEP

      3072:W6g3/uKUu8QZyF+mKdtsLBa4pOr+j3z1SE7JlA9NPrkIZHRjlZy95ug:WR3vUvQGx3Lo4pO6jDf7k7P5Py4g

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks