General

  • Target

    e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733

  • Size

    377KB

  • Sample

    240611-nnct8avfqf

  • MD5

    086483f438e1f9b40e39bd7c001880ba

  • SHA1

    e6b401c33f5fa331a4dc95dec00806a01777cd7c

  • SHA256

    e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733

  • SHA512

    bdd53e85dc6ad6d5f59904db5df47d3b30801f8e2656017f3cd29f8b0b7e463d8b6478c9da1d32e2b8ea265361470a53cef9fd4fb41ae4137e2bdde0364035dc

  • SSDEEP

    6144:nVfjmNlVfjmNfK9+Tk8u8bZIukHO77kK9+fCSFwq++b+s8W1CSFwq++b+s8:V7+D7+Pu8BXUoX+b+sJoX+b+s

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733

    • Size

      377KB

    • MD5

      086483f438e1f9b40e39bd7c001880ba

    • SHA1

      e6b401c33f5fa331a4dc95dec00806a01777cd7c

    • SHA256

      e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733

    • SHA512

      bdd53e85dc6ad6d5f59904db5df47d3b30801f8e2656017f3cd29f8b0b7e463d8b6478c9da1d32e2b8ea265361470a53cef9fd4fb41ae4137e2bdde0364035dc

    • SSDEEP

      6144:nVfjmNlVfjmNfK9+Tk8u8bZIukHO77kK9+fCSFwq++b+s8W1CSFwq++b+s8:V7+D7+Pu8BXUoX+b+sJoX+b+s

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks