General

  • Target

    69da6a3dfbc4553774a8a7d3074aa4b2f93ce574e560e96c9a4c244737a0da5a

  • Size

    151KB

  • Sample

    240615-2eybfs1dnn

  • MD5

    e75a10252ae3220efc4ce15e2c5ada7f

  • SHA1

    3bdc2881e97b645fd48b729ce559449b7133d8fb

  • SHA256

    69da6a3dfbc4553774a8a7d3074aa4b2f93ce574e560e96c9a4c244737a0da5a

  • SHA512

    70b00d8f6ad89a4bcaf078ebed340ad05acfa7b1144c801c5f0fc12aec561f9efc25a78c1042e4ee3b2d1fbe6e3a5e274389fff815fab0d0e3991d043cf007ec

  • SSDEEP

    3072:FKYjRMm5CH8RWtAlk2jV6A4z13XShALof9Kr:BRMCd22JURShAH

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      69da6a3dfbc4553774a8a7d3074aa4b2f93ce574e560e96c9a4c244737a0da5a

    • Size

      151KB

    • MD5

      e75a10252ae3220efc4ce15e2c5ada7f

    • SHA1

      3bdc2881e97b645fd48b729ce559449b7133d8fb

    • SHA256

      69da6a3dfbc4553774a8a7d3074aa4b2f93ce574e560e96c9a4c244737a0da5a

    • SHA512

      70b00d8f6ad89a4bcaf078ebed340ad05acfa7b1144c801c5f0fc12aec561f9efc25a78c1042e4ee3b2d1fbe6e3a5e274389fff815fab0d0e3991d043cf007ec

    • SSDEEP

      3072:FKYjRMm5CH8RWtAlk2jV6A4z13XShALof9Kr:BRMCd22JURShAH

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

System Information Discovery

1
T1082

Tasks