General

  • Target

    850053727880deb231ee4023127f10e5320ac6fd9a0e8df8533e049ac9a3be54N

  • Size

    3.7MB

  • Sample

    241110-ttqwxszgpp

  • MD5

    74af3f6cfee2887c897148508a9c03b0

  • SHA1

    42f6109b34c6812890c51f0435d1e0e10825f94f

  • SHA256

    850053727880deb231ee4023127f10e5320ac6fd9a0e8df8533e049ac9a3be54

  • SHA512

    3eaa8bc5a5e556e6fc2372e71e2f7b89fa83cf4db4b2724482a6902a5613ebfe011b0f9d19d39ee7cefbe0eaa4f937478d48c3b9ae4bb79645779c70c63817da

  • SSDEEP

    49152:6vOAaj8fG7xSjf6Onqq7VMdlij5uIGHuv1LBUPoj6tv49yL2Pa9SV78AhcDYbX3t:uWQ+HOq++liduCtLBlOMyL2i9avccb39

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      850053727880deb231ee4023127f10e5320ac6fd9a0e8df8533e049ac9a3be54N

    • Size

      3.7MB

    • MD5

      74af3f6cfee2887c897148508a9c03b0

    • SHA1

      42f6109b34c6812890c51f0435d1e0e10825f94f

    • SHA256

      850053727880deb231ee4023127f10e5320ac6fd9a0e8df8533e049ac9a3be54

    • SHA512

      3eaa8bc5a5e556e6fc2372e71e2f7b89fa83cf4db4b2724482a6902a5613ebfe011b0f9d19d39ee7cefbe0eaa4f937478d48c3b9ae4bb79645779c70c63817da

    • SSDEEP

      49152:6vOAaj8fG7xSjf6Onqq7VMdlij5uIGHuv1LBUPoj6tv49yL2Pa9SV78AhcDYbX3t:uWQ+HOq++liduCtLBlOMyL2i9avccb39

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • UAC bypass

    • Windows security bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks