Summary
Files detected as Sus/Sality-A exhibit suspicious behavior.
Detailed analysis
Example behaviors of Sus/Sality-A follow:
Example 1
File Information
- Size
- 13M
- SHA-1
- 184b62208aa0160bbab7f80c3cff5852b42f5dc9
- MD5
- f7357cc5961f125c39b02427ff81f7ef
- CRC-32
- e0582e56
- File type
- application/x-ms-dos-executable
- First seen
- 2010-07-24
Other vendor detection
- Avira
- W32/Sality.AC
- Kaspersky
- Virus.Win32.Sality.af
Runtime Analysis
Dropped Files
- C:\Documents and Settings\support\Local Settings\Temp\winoqrl.exe
Modified Files
- C:\bin\autorunsc.exe
- C:\bin\harness.exe
- C:\bin\snapshot.exe
- %WINDOWS%\system.ini
- C:\bin\_PX.exe
- C:\bin\cApiSpy.exe
- C:\bin\configuresav\configuresav.exe
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\abp470n5\Security
- Security
- 01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- c:\sample.exe
- c:\sample.exe:*:Enabled:ipsec
- HKLM\SYSTEM\CurrentControlSet\Services\abp470n5\Enum
- INITSTARTFAILED
- 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\abp470n5
- ErrorControl
- 0x00000001
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusOverride
- 0x00000001
- HKCU\Software\Aryltuv\-2105228631
- -1566392142
- 0500687474703A2F2F6D696B656576656E74732E676F2E726F2F696D616765732F6C6F676F735F732E67696600687474703A2F2F6161726F6E646173747275702E636F6D2F696D616765732F6C6F676F735F732E67696600687474703A2F2F61616E6E6137342E65752E696E74657269612E706C2F6C6F676F735F732E67696600687474703A2F2F7777772E656E657267657469786A6577656C72792E636F6D2F6C6F676F735F732E67696600687474703A2F2F797563656C6361766461722E636F6D2F6C6F676F735F732E676966
- HKLM\SOFTWARE\Microsoft\Security Center
- UacDisableNotify
- 0x00000001
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden
- 0x00000002
- HKLM\SOFTWARE\Microsoft\Security Center
- AntiVirusOverride
- 0x00000001
HTTP Requests
- http://91.207.7.194/spm/s_tasks.php
- http://aanna74.eu.interia.pl/logos_s.gif
- http://aarondastrup.com/images/logos_s.gif
- http://mikeevents.go.ro/images/logos_s.gif
- http://www.energetixjewelry.com/logos_s.gif
- http://yucelcavdar.com/logos_s.gif
IP Connections
- 58.40.150.204:5517
- 91.207.7.194:80
DNS Requests
- aanna74.eu.interia.pl
- aarondastrup.com
- mikeevents.go.ro
- www.energetixjewelry.com
- yucelcavdar.com
Example 2
File Information
- Size
- 91K
- SHA-1
- 01572a83dc0eb03be41d56144933c61b482aa297
- MD5
- f366ce1fb0be65a6ce78deeae7d3ff13
- CRC-32
- f9418806
- File type
- application/x-ms-dos-executable
- First seen
- 2010-07-01
Other vendor detection
- Kaspersky
- Virus.Win32.Sality.aa
Example 3
File Information
- Size
- 324K
- SHA-1
- 49843a332dcf9179266c551c24e1fcdc8d4addd5
- MD5
- 8012f17258f44c756ceaeb2e5eb2b3ff
- CRC-32
- e60c32ad
- File type
- application/x-ms-dos-executable
- First seen
- 2010-07-01
Other vendor detection
- Kaspersky
- Virus.Win32.Sality.aa