sality | 56f948f1714d171326ca89ec3c5d50a3392b16e77909b223ff48d74299bec0a3

General

Target

JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Size

223KB
MD5

9f1c7c844ef3fd8c846c90f59c89120e
SHA1

edf1fe132c310ca4eb1e8a2f3475f49e2f38d4b8
SHA256

56f948f1714d171326ca89ec3c5d50a3392b16e77909b223ff48d74299bec0a3
SHA512

b99b1e96dbf4ae092715170bf7d617928c5344d946b81b76195cae51ab2aaf5cf0446004fc6eefe6d78c141685ee2d873ae1a0f65d4afd4ef8bc87f30edeea8c
SSDEEP

6144:35Grd28lR1yD34S1mzQzSaCZRHwA76oz5q9obHW6zzCX:pGrd5r1yD3717zSTRHD76ehN6

Score

10^/10

sality backdoor defense_evasion discovery trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Windows security bypass 2 TTPs 6 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Windows security modification 2 TTPs 7 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\O:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\M:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\E:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\H:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\G:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\Z:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\X:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\T:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\Q:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\K:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\Y:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\P:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\N:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\L:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\I:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\V:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\U:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\S:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\R:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened (read-only)	\??\J:	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
File opened for modification	F:\autorun.inf	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-1-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-11-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-3-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-4-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-5-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-12-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-7-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-14-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-6-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-13-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx
behavioral1/memory/2236-69-0x0000000001DA0000-0x0000000002E2E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
Token: SeDebugPrivilege	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1120	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe	19
PID 2236 wrote to memory of 1180	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe	20
PID 2236 wrote to memory of 1236	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe	21
PID 2236 wrote to memory of 1132	2236	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe	23

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f1c7c844ef3fd8c846c90f59c89120e.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Impair Defenses

4

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
151KB

MD5
c79a7aa916f6c31435c5981294583e94

SHA1
639a34bfd37193b489713f6be1899aa275c6be12

SHA256
befb4f333166c5b1774e0057f975d1c76b58df80a8f8cc4f455752de5585da4f

SHA512
578bbe53a5235b6c19a082cc67776f7c6b0085b4936585e854773f7676eb2cd74ad4908f694ae9b4b1498976c799c2ff20644ff5a1a4b1daa4080f96a6850f94

Download Submit
F:\zPharaoh.exe

Filesize
151KB

MD5
e8d2ad758a77010f19876b04949aca3a

SHA1
a519b27955d35625f9e82995c746cf4cc039ea4b

SHA256
8386ad47c8c1bed4015a5804f950c2bbf9ce68c60638d1fe9f4d1d6fef75d276

SHA512
30ff4bc65a433c549e20c9aaa62d68157d7771f63496b99afff13343e395e31d6a800df79f7cd90c46db81d749b268d22d39e2a295fe8327644db35dab29fd4a

Download Submit
memory/1120-15-0x0000000001F10000-0x0000000001F12000-memory.dmp

Filesize
8KB

Download
memory/2236-27-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2236-13-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-12-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-7-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-14-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-6-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2236-29-0x0000000004860000-0x0000000004862000-memory.dmp

Filesize
8KB

Download
memory/2236-4-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-5-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-28-0x0000000004860000-0x0000000004862000-memory.dmp

Filesize
8KB

Download
memory/2236-25-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2236-24-0x0000000004860000-0x0000000004862000-memory.dmp

Filesize
8KB

Download
memory/2236-3-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-11-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-1-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download
memory/2236-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2236-60-0x0000000004860000-0x0000000004862000-memory.dmp

Filesize
8KB

Download
memory/2236-69-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads