sality

General

Target

JaffaCakes118_7f3bfe42542dba416ebea5b15d165870
Size

110KB
Sample

250202-v8y2hsslaw
MD5

7f3bfe42542dba416ebea5b15d165870
SHA1

feaabf0c1d905f8bc5d52b1be7ffc4f6e274bf53
SHA256

eacafcc54117b154bdef3175a2f79dcd97090d443ea340b5c851be2e1fb0a7ad
SHA512

c706573c51fe78b1deec4f2f015018cde4bf6078b4d74f02f056ea56c6a40e2eb43b4e31f86c949c8ba23f77e917d559a7c93645fdb2d1a7378290f5e73efbe0
SSDEEP

1536:51s9uOS//PnBLWqj5/BRhesSesRxRv8z7lo1Ih9g8NATEa+j2b4SwyeEkR13utKN:XsJYBTnhDWvgZBAga+A21eB0

Score

10^/10

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

- Target
  
  JaffaCakes118_7f3bfe42542dba416ebea5b15d165870
- Size
  
  110KB
- MD5
  
  7f3bfe42542dba416ebea5b15d165870
- SHA1
  
  feaabf0c1d905f8bc5d52b1be7ffc4f6e274bf53
- SHA256
  
  eacafcc54117b154bdef3175a2f79dcd97090d443ea340b5c851be2e1fb0a7ad
- SHA512
  
  c706573c51fe78b1deec4f2f015018cde4bf6078b4d74f02f056ea56c6a40e2eb43b4e31f86c949c8ba23f77e917d559a7c93645fdb2d1a7378290f5e73efbe0
- SSDEEP
  
  1536:51s9uOS//PnBLWqj5/BRhesSesRxRv8z7lo1Ih9g8NATEa+j2b4SwyeEkR13utKN:XsJYBTnhDWvgZBAga+A21eB0
Score

10^/10

sality backdoor defense_evasion discovery persistence privilege_escalation trojan upx
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  defense_evasion
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Sality family
  sality
- UAC bypass
  defense_evasion trojan
- Windows security bypass
  defense_evasion trojan
- Adds policy Run key to start application
  persistence
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2