Resubmissions

11-11-2024 16:16

241111-tqrdaa1gjd 10

11-11-2024 16:13

241111-tpaddazpb1 10

26-10-2024 20:31

241026-zawkysydjh 10

General

  • Target

    137372af4a2eeccdab924279221beb685d29db39994179f57621dd070b746ede

  • Size

    686KB

  • Sample

    241111-tqrdaa1gjd

  • MD5

    e929859c926def1a89205eb9c463a610

  • SHA1

    eca5f0d8834c0d47745f1a0166b5b7a9067ddb22

  • SHA256

    137372af4a2eeccdab924279221beb685d29db39994179f57621dd070b746ede

  • SHA512

    acc61f93bc3c05d39596f93fbff4bfd1dceb6e7da06528534d15e0412da315c84fa576b00b8d1cd5970f8ea85ec63e47d756a6f3ae47cab9b572f5adedfb7d2f

  • SSDEEP

    12288:Xz2Nyw6hsU5HDcqxDTThrp3g/gvIW4LUf3PqNzPgUdPm51:D2gw6VlDc6rp3X3OzoUdP4

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      137372af4a2eeccdab924279221beb685d29db39994179f57621dd070b746ede

    • Size

      686KB

    • MD5

      e929859c926def1a89205eb9c463a610

    • SHA1

      eca5f0d8834c0d47745f1a0166b5b7a9067ddb22

    • SHA256

      137372af4a2eeccdab924279221beb685d29db39994179f57621dd070b746ede

    • SHA512

      acc61f93bc3c05d39596f93fbff4bfd1dceb6e7da06528534d15e0412da315c84fa576b00b8d1cd5970f8ea85ec63e47d756a6f3ae47cab9b572f5adedfb7d2f

    • SSDEEP

      12288:Xz2Nyw6hsU5HDcqxDTThrp3g/gvIW4LUf3PqNzPgUdPm51:D2gw6VlDc6rp3X3OzoUdP4

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • UAC bypass

    • Windows security bypass

    • Loads dropped DLL

    • Windows security modification

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks