Overview

overview

10

Static

static

3

2/Activity.dll

windows7-x64

3

2/Activity.dll

windows10-2004-x64

3

2/LogViewer.exe

windows7-x64

10

2/LogViewer.exe

windows10-2004-x64

10

2/MouseHook.dll

windows7-x64

3

2/MouseHook.dll

windows10-2004-x64

3

2/RunOnce.exe

windows7-x64

3

2/RunOnce.exe

windows10-2004-x64

3

2/USBFind.dll

windows7-x64

3

2/USBFind.dll

windows10-2004-x64

3

2/iSafeProtect.dll

windows7-x64

3

2/iSafeProtect.dll

windows10-2004-x64

3

2/msadoex.dll

windows7-x64

1

2/msadoex.dll

windows10-2004-x64

1

2/pdata.exe

windows7-x64

1

2/pdata.exe

windows10-2004-x64

1

2/winsrv.exe

windows7-x64

10

2/winsrv.exe

windows10-2004-x64

10

2/zlib1d.dll

windows7-x64

3

2/zlib1d.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_83fe0ab384d1cca50ffd7f3c685c254f

  • Size

    1.5MB

  • Sample

    250203-d1833symbx

  • MD5

    83fe0ab384d1cca50ffd7f3c685c254f

  • SHA1

    06dc51c9e0bb8058f0448f4c169a005e6810c1b1

  • SHA256

    3fc05836e01475cf81027002ed8a67bb54b98462108899d1026170226ef155b2

  • SHA512

    134e9b2fe5c937014ce60051ea74ac49ef179f77ad5291d05b94316e6055542f92d39d3b29e2284c99ae1c583ce2668818d879e26fccb5bf3ef7117d8954b2cc

  • SSDEEP

    24576:LFDOfmhCWCAauY1sJQ/WkBbV34zOENOWKrqBN0NhBfoVxs/yTuPOYpMUXLJTmi+q:ZCOOAzY1f/YfOuH0N/fEs/oudMjG

Score
10/10
salitybackdoordefense_evasiondiscoverypersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      2/Activity.dll

    • Size

      224KB

    • MD5

      fb6917b50eeb4fa7984d11a971a3f833

    • SHA1

      76f30a2a8224bebb9e192d35029addd7ffd927e5

    • SHA256

      3c0ba45c164ed40f1aebcf5eff985512e4ef001fe87e276502bbfdff1955194c

    • SHA512

      87e9d9095901db98bdeaa3db38426f68c3583c6db0e590873381a2aa2baef0f1362fa28fa0ee99e2cee5f3b62baa4f41501320951a691df8b868dd1125c84c49

    • SSDEEP

      1536:W9CkrTPI8F4tucyFMjhB260Nz0btA9n5OlxTSNg5xxuKTWJS3wcP/kM2j29ekkcg:W8yTP5qucjhB2pNz0JCB5jczrYos

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      2/LogViewer.exe

    • Size

      982KB

    • MD5

      e53384342ed061847481de03a05c27c2

    • SHA1

      b04c38c9c14bde2c4e5317c564a0a370fe5bc528

    • SHA256

      e1bdf6689993b95e96b7a2ee019ade34bbbce095261cde341d3b98de848f8fff

    • SHA512

      4f337461f9683016f6e4dc3ba5964bb04b523524024403122ef74b40378968f9f6fac79a910d290944e2363fd67e1e6802d2c2f7af6b8326524da088b9006771

    • SSDEEP

      12288:Q6gAWgT3dCFMF3xEqcT/msKXJy3ZMdfoa35+VQDmF4L0C9sZC0PQOD3ZwKvA3Raq:oqqqcT4Jy3ZMdfjkaRaEZ/XH3

    Score
    10/10
    salitybackdoordefense_evasiondiscoverytrojanupx

    • Modifies firewall policy service

      defense_evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • Sality family

      sality

    • UAC bypass

      defense_evasiontrojan

    • Windows security bypass

      defense_evasiontrojan

    • Windows security modification

      defense_evasiontrojan

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

    • Target

      2/MouseHook.dll

    • Size

      54KB

    • MD5

      b0c520e29c72faa87fb840fbe1f7371e

    • SHA1

      bca7a7e12845f6ad85debef4ec1782858cec6684

    • SHA256

      0684360ccf1661c9f29a5d08489a3f14616a9d4bd94efc47401e6c98f884b924

    • SHA512

      1a27fce378e6a6493fef782b816d5777d87fa598eeb0461391648e0bf748b5e9e133d06a1f1845d4c16404bee08c08a153b43803157d9e1250a85825fceff281

    • SSDEEP

      768:ZhNPLMeBaZKtVVg42SLW9MtDHS8ft5ZvWX5u1VYeHj5:jZH0ZUVg42qH/flv5Vj5

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      2/RunOnce.exe

    • Size

      664KB

    • MD5

      e4ebd65e5f91aa42d785dc7fc72606b9

    • SHA1

      48c811b1eb498f28c13f849da7fe46ef48a018fc

    • SHA256

      39dda93bf2d72d7c55ad024b5c149971423af9b6481fe85e0d9ceb67eeeb8438

    • SHA512

      089891ae8da4bea785db4f24a5362217a6fce2c6e6a24fbed15064320c43fa8903bcfdfe2ef567b1660a5c2c7eca40ac699778e107abf8328525a73fa9eaecfd

    • SSDEEP

      6144:dudd3+t1eSUvfJzorO3/ehEtxAuzbawXg7DOhA5iL4QHBKEPOL8y0:v1eWi3/ehELXawzAIL9HBKEPOo7

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      2/USBFind.dll

    • Size

      69KB

    • MD5

      e4050b271f12726a3901325d107d7e7f

    • SHA1

      721215ec5d3ab6e3ad3c0f81258e1c8d205de30b

    • SHA256

      b414d1cbb5b6a1c8659a402720dee126f5392024edba869603703ec6cf241798

    • SHA512

      6de22a6689ed9f64374b2a72282ca4bbea1e2ab7beb5881401cd94aa36f19c648ef219fccd6ca990bbd2bd8cdd2eb8bf5439b1a40c5a42442a9e0c51acf057c0

    • SSDEEP

      1536:YpsyYBuKmEPFUXExAjLHX3jNHkeZpd5Gld:YiyYBuKmzhDhkend5Gld

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      2/iSafeProtect.dll

    • Size

      77KB

    • MD5

      e946ff867fc386d3ba0bdd485b14395a

    • SHA1

      314ffde0b45ef71093f3b0d869cae431508f3fa0

    • SHA256

      d344c8d6e01ed8fa25b91e3442a81dfc1f7fb0111cd8f50bc897ec6393209ad5

    • SHA512

      2f589fb406b9942bf0f402e00915273dcaa0cc79884ca807fb1b86fb8178c8908a1caa78d2b74ece7759263b8485b0a5ae414aefd2a51a23d7c8172f1cc91084

    • SSDEEP

      1536:Qv2ww6CAA4pJW5V48B4pc+VWr65yrTntE:Qv2HT4P1/VWr65yr7t

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      2/msadoex.dll

    • Size

      116B

    • MD5

      a3009a0fc3187d8ea639c998b160614e

    • SHA1

      000d3db851bf8060ffe76f8f76c22e6a318625e7

    • SHA256

      0db7ab36e09de854156753e631b03aa098efcdfa9167a688d3f283e7ecb8793b

    • SHA512

      417b077a800df2927a9efe54a79b1a9005b8fa4257d0c1cffc8f33c17874d55ab05e78dfed8242f9dc631798d25df9c1811f90e0665ea965147fa30f298c0ad1

    Score
    1/10
    behavioral13behavioral14

    • Target

      2/pdata.exe

    • Size

      6KB

    • MD5

      b4be0d86dcf409ee01715493b7d023a6

    • SHA1

      8169c2974d531d561b83d5f30679500d02e59cb7

    • SHA256

      d8adb7bddc2d418591a28b0bccac1d52b3719230e3f7719e8ba46e9641fa4e93

    • SHA512

      7aaee467f3bdb5b8c62aa9f4e065dd5475f179935f31fa411884d427e4e519e2c08c2572910aa2656fa2bff5d5df2f572ce58f2a7dbcf78d4bc80d7e75e36c3f

    • SSDEEP

      96:XUMFV25kciUC7hqbq6i3HwFvg4cZ4AzNt:kM4gUOl64QN9/C

    Score
    1/10
    behavioral15behavioral16

    • Target

      2/winsrv.exe

    • Size

      1.7MB

    • MD5

      4c7790bc050fd4b3f60bf7c8eb1ce93e

    • SHA1

      150359dad0f31102664cc78b46938609ad97d8fa

    • SHA256

      b30e3949a4a572b1ea0118dede259cb75c2355f58aadfd3455f0f1aa0994d91d

    • SHA512

      f2845dc849e438d3aaf723f2957ea3eef90881137782edd35c1d1d5f7c5047250c0191797c349ec0741b468c8042d3c172dce9dae0c2256c05fb3b6c19990ce5

    • SSDEEP

      49152:6xejPqOKQBsEuyewoaJkRRISGiQdRcDTnqj0YvI4:XPqPR+gqj0YvI4

    Score
    10/10
    salitybackdoordefense_evasiondiscoverypersistencetrojanupx
    behavioral17behavioral18

    • Target

      2/zlib1d.dll

    • Size

      192KB

    • MD5

      0d385319da3dba49656a0f4f6b8e8dfe

    • SHA1

      33519585735e7e68681b77edbe2fe14c038a9332

    • SHA256

      a75b15cfa275bd74719de4b1abb3fabe2744878c68663d22305acf91463ebaba

    • SHA512

      c31cb6f88158e8c7405858576a00d7fabca90630ee62a79462cf01bf5768d4fe6683b7c5e15aba2626b819a0c9e3cf60f26c903d5ec38a241a7319fca84975d3

    • SSDEEP

      3072:BeWanhUoastBy/F/RBMxvdW2TBfqFaseJt:I/9cyxvdW2TBiFas4t

    Score
    3/10
    discovery
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

salitybackdoordefense_evasiondiscoverytrojanupx
Score
10/10

behavioral4

salitybackdoordefense_evasiondiscoverytrojanupx
Score
10/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

salitybackdoordefense_evasiondiscoverypersistencetrojanupx
Score
10/10

behavioral18

salitybackdoordefense_evasiondiscoverypersistencetrojanupx
Score
10/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10