Overview

overview

10

Static

static

3

1ba00071a7...18.exe

windows7-x64

3

1ba00071a7...18.exe

windows10-2004-x64

10

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ba00071a7eb123c4b4141ff48016453_JaffaCakes118

  • Size

    164KB

  • Sample

    240701-rnycpswejd

  • MD5

    1ba00071a7eb123c4b4141ff48016453

  • SHA1

    c0d7d861e2ee975a72627854e35df74b08e640b3

  • SHA256

    0891ddb6b4cf9b491981c9065e734f302613c64828c811b8742a85e25fa7f60c

  • SHA512

    b751c9596f49ce4dfff0ea76f3e520793ddfcc3d40f75d2fbf4123baa340def3443b03cdc24a8aa3f527bde4c0924033bc313c3e79e5a1745eca87108ab8c125

  • SSDEEP

    3072:ivwprm4afmJZAI00NoY1LlWkMSihbotRO0f83lSRI95ptuJCOX:i0rYp90NPGDSCotRsEMXtZ2

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      1ba00071a7eb123c4b4141ff48016453_JaffaCakes118

    • Size

      164KB

    • MD5

      1ba00071a7eb123c4b4141ff48016453

    • SHA1

      c0d7d861e2ee975a72627854e35df74b08e640b3

    • SHA256

      0891ddb6b4cf9b491981c9065e734f302613c64828c811b8742a85e25fa7f60c

    • SHA512

      b751c9596f49ce4dfff0ea76f3e520793ddfcc3d40f75d2fbf4123baa340def3443b03cdc24a8aa3f527bde4c0924033bc313c3e79e5a1745eca87108ab8c125

    • SSDEEP

      3072:ivwprm4afmJZAI00NoY1LlWkMSihbotRO0f83lSRI95ptuJCOX:i0rYp90NPGDSCotRsEMXtZ2

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      14KB

    • MD5

      7e49eb67f1f3c62bb8c4b0a868b30645

    • SHA1

      2be42e3c6059485bc3b624a537ab1fb36a10a263

    • SHA256

      17f0946e0847bbaa6a06eb58aead13fce22a8606e9b3744cd2241debdf8d8bae

    • SHA512

      469c28b6da5b9499fd417f8cd74414d6c6edcbe6567eecc9421a69797a77ec323936deb96cd151611da57e311074ec0c56d82a9800d7aebac9538a947284ff9e

    • SSDEEP

      192:/6JaVGQ+xI5EeuyvMmGpeWH2J5xprN+AxTSK72dwF7dBdcQOz:/6JaVh4I5rpPbTS+BdhO

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      7344a89ef365ee3cb14e3ce465257a17

    • SHA1

      5714b1b7e16225a23dad0ef5d10ec6382553e05b

    • SHA256

      e53b5f58dd9e1a25a973efc378b552e15fda6e79b3fc67062f556967865a8bef

    • SHA512

      5d993ccc6e66d728902c375facfc0e3df8f45773eedbcb043f81d755ad33b6e29d1d39be0fb446bc4f49dcbbcc3e8a875c793985c9ed1595f407930e63f37c91

    • SSDEEP

      48:SnrQ/z+vUML8eYXICmlmGYKHz0JSpXSxwo6mpwzcR3RqG8aEJeABofgMGKO:fz+MM4eqmvz0JScx56mpwzAhWWGV

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      10KB

    • MD5

      de86f5220bcbbac420fc4f6166bb2d91

    • SHA1

      d0d52fdacbcffe0058cedfc20cf5108475033f5d

    • SHA256

      7f3057abae7e8b5b91a35fbb23897657accb8c724e923d5d4a0e9208ca09c445

    • SHA512

      d22f7807037c410427518891dee5dd535361df514ce0980a654d99d32f369b5e9c2059bc5930d807e93ebb3b7741d09466dd87bb796256daf9d8a630280fbe99

    • SSDEEP

      192:mO6dJA/ruAFEiUdWWE6hE5RYUdJfbub1afgMO:DKAFERdlxhGRYUzqZaf

    Score
    3/10
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      8092119fa7038477602715fbb9a749b8

    • SHA1

      505d88dadde88c3d0c1a7dcf95511dac89a75327

    • SHA256

      6c43af5362c855c59c4472225fbdaebe26444c711be22e0e5ab80fdcb32e9af7

    • SHA512

      27285dee1ee49ffc2489bb33856e04751e147226dd3978c026e7958d2baa6650e15254c3276eb64d63e0b1bc124f33667c98703fbbe3b0f83dc5eb52492688df

    Score
    3/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks