General

  • Target

    7zipInstall

  • Size

    1.7MB

  • Sample

    240916-y2xrnaxgpp

  • MD5

    2f1c289f01194fd6bc6308625890cd12

  • SHA1

    b02e5d248908f52c06339d53ed45f0e138262685

  • SHA256

    224b65935f96db7d2a4696db4bf5f6ce539879e3f887d1e281d8fcfbe3da3da0

  • SHA512

    f59f69a49f2a08c121944dc0a82fd71d7ca574e5d3d4e2b26991f3340f4cf50349ddcc2a8740bcfabcec7828df78b01a6ca72a69ef3fa41ae6544cf0b0630df1

  • SSDEEP

    49152:4DsaqltwW/jlSQ9T235RQ0vgBj+yxKVgzQqFJbx9:4DsflD/jlSQMY9xK61FJV9

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      7zipInstall

    • Size

      1.7MB

    • MD5

      2f1c289f01194fd6bc6308625890cd12

    • SHA1

      b02e5d248908f52c06339d53ed45f0e138262685

    • SHA256

      224b65935f96db7d2a4696db4bf5f6ce539879e3f887d1e281d8fcfbe3da3da0

    • SHA512

      f59f69a49f2a08c121944dc0a82fd71d7ca574e5d3d4e2b26991f3340f4cf50349ddcc2a8740bcfabcec7828df78b01a6ca72a69ef3fa41ae6544cf0b0630df1

    • SSDEEP

      49152:4DsaqltwW/jlSQ9T235RQ0vgBj+yxKVgzQqFJbx9:4DsflD/jlSQMY9xK61FJV9

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects Floxif payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks