General
-
Target
68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
-
Size
300KB
-
Sample
240629-fq3vesvbqq
-
MD5
918cc69d4af1ba0482b6c9a6067d63f0
-
SHA1
1259810f0b0d36c3fde05240498270ac33f639ba
-
SHA256
68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5
-
SHA512
08bffa536dc410e6841f785fffe46a33a9c92207d827f3a33a6bbf2e9edb9a0e67b9a6e243e00efc58801503ceebfda7138513e6460c2e8d141c51171c67becd
-
SSDEEP
3072:jonL5tpV+CSA1AAPoCpxW5ATBfUPhpS1svkTVC9FieYTTLprx/m3qT4S826guKqy:8tpvoCpcPe1jQdi0aCJd/s+nK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Targets
-
-
Target
68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
-
Size
300KB
-
MD5
918cc69d4af1ba0482b6c9a6067d63f0
-
SHA1
1259810f0b0d36c3fde05240498270ac33f639ba
-
SHA256
68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5
-
SHA512
08bffa536dc410e6841f785fffe46a33a9c92207d827f3a33a6bbf2e9edb9a0e67b9a6e243e00efc58801503ceebfda7138513e6460c2e8d141c51171c67becd
-
SSDEEP
3072:jonL5tpV+CSA1AAPoCpxW5ATBfUPhpS1svkTVC9FieYTTLprx/m3qT4S826guKqy:8tpvoCpcPe1jQdi0aCJd/s+nK
Score10/10-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Adds policy Run key to start application
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
8Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1