SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sality (Back to overview)

Sality

Actor(s): Salty Spider


There is no description at this point.

References
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2021-10-27MandiantKen Proska, Corey Hildebrandt, Daniel Kapellmann Zafra, Nathan Brubaker
@online{proska:20211027:portable:437b9c1, author = {Ken Proska and Corey Hildebrandt and Daniel Kapellmann Zafra and Nathan Brubaker}, title = {{Portable Executable File Infecting Malware Is Increasingly Found in OT Networks}}, date = {2021-10-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/pe-file-infecting-malware-ot}, language = {English}, urldate = {2021-11-08} } Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut
2020-05-24Palo Alto Networks Unit 42Ajaya Neupane, Stefan Achleitner
@online{neupane:20200524:using:2f77c1c, author = {Ajaya Neupane and Stefan Achleitner}, title = {{Using AI to Detect Malicious C2 Traffic}}, date = {2020-05-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/c2-traffic/}, language = {English}, urldate = {2021-06-09} } Using AI to Detect Malicious C2 Traffic
Emotet Sality
2017-10-29quangnh89
@online{quangnh89:20171029:sality:c8a91cd, author = {quangnh89}, title = {{Sality Configuration Extractor (sality_extractor.py)}}, date = {2017-10-29}, url = {https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py}, language = {Python}, urldate = {2021-05-08} } Sality Configuration Extractor (sality_extractor.py)
Sality
2017-05IEEELorenzo De Carli, Ruben Torres, Gaspar Modelo-Howard, Alok Tongaonkar, Somesh Jha
@online{carli:201705:botnet:18f6b9a, author = {Lorenzo De Carli and Ruben Torres and Gaspar Modelo-Howard and Alok Tongaonkar and Somesh Jha}, title = {{Botnet Protocol Inference in the Presence of Encrypted Traffic}}, date = {2017-05}, organization = {IEEE}, url = {https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail}, language = {English}, urldate = {2021-10-11} } Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess
2015-12-02BotconfPeter Kleissner
@techreport{kleissner:20151202:sality:791ea01, author = {Peter Kleissner}, title = {{Sality: 2003 - Today}}, date = {2015-12-02}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf}, language = {English}, urldate = {2020-01-13} } Sality: 2003 - Today
Sality
2011-07SymantecNicolas Falliere
@techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } Sality: Story of a Peerto-Peer Viral Network
Sality
Yara Rules
[TLP:WHITE] win_sality_auto (20220411 | Detects win.sality.)
rule win_sality_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.sality."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0255fc 8855ec 8b45ec 25ff000000 }
            // n = 4, score = 400
            //   0255fc               | add                 dl, byte ptr [ebp - 4]
            //   8855ec               | mov                 byte ptr [ebp - 0x14], dl
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   25ff000000           | and                 eax, 0xff

        $sequence_1 = { 0302 50 6a00 e8???????? }
            // n = 4, score = 400
            //   0302                 | add                 eax, dword ptr [edx]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_2 = { 0302 8945fc 8b4d10 8b55fc }
            // n = 4, score = 400
            //   0302                 | add                 eax, dword ptr [edx]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_3 = { 0302 50 6878563412 e8???????? }
            // n = 4, score = 400
            //   0302                 | add                 eax, dword ptr [edx]
            //   50                   | push                eax
            //   6878563412           | push                0x12345678
            //   e8????????           |                     

        $sequence_4 = { 0311 52 6878563412 e8???????? }
            // n = 4, score = 400
            //   0311                 | add                 edx, dword ptr [ecx]
            //   52                   | push                edx
            //   6878563412           | push                0x12345678
            //   e8????????           |                     

        $sequence_5 = { 02040a 8845fc 8b4dfc 81e1ff000000 }
            // n = 4, score = 400
            //   02040a               | add                 al, byte ptr [edx + ecx]
            //   8845fc               | mov                 byte ptr [ebp - 4], al
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   81e1ff000000         | and                 ecx, 0xff

        $sequence_6 = { 02c8 884dec 8b55f0 83c201 }
            // n = 4, score = 400
            //   02c8                 | add                 cl, al
            //   884dec               | mov                 byte ptr [ebp - 0x14], cl
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   83c201               | add                 edx, 1

        $sequence_7 = { 837d1400 741c 8b4d10 51 8b550c }
            // n = 5, score = 400
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   741c                 | je                  0x1e
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_8 = { 0344240c 03c7 8b00 0344240c }
            // n = 4, score = 200
            //   0344240c             | add                 eax, dword ptr [esp + 0xc]
            //   03c7                 | add                 eax, edi
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   0344240c             | add                 eax, dword ptr [esp + 0xc]

        $sequence_9 = { 7278 fc 8dbd3d154000 b90c000000 }
            // n = 4, score = 200
            //   7278                 | jb                  0x7a
            //   fc                   | cld                 
            //   8dbd3d154000         | lea                 edi, dword ptr [ebp + 0x40153d]
            //   b90c000000           | mov                 ecx, 0xc

        $sequence_10 = { 7505 83c404 eb0a 59 83c304 40 }
            // n = 6, score = 200
            //   7505                 | jne                 7
            //   83c404               | add                 esp, 4
            //   eb0a                 | jmp                 0xc
            //   59                   | pop                 ecx
            //   83c304               | add                 ebx, 4
            //   40                   | inc                 eax

        $sequence_11 = { 52 56 52 ff953a144000 e8???????? 8907 5a }
            // n = 7, score = 200
            //   52                   | push                edx
            //   56                   | push                esi
            //   52                   | push                edx
            //   ff953a144000         | call                dword ptr [ebp + 0x40143a]
            //   e8????????           |                     
            //   8907                 | mov                 dword ptr [edi], eax
            //   5a                   | pop                 edx

        $sequence_12 = { 85c0 7403 eb0c 58 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   eb0c                 | jmp                 0xe
            //   58                   | pop                 eax

        $sequence_13 = { 8bf2 8bf8 50 ff95c5144000 8bc8 f3a6 }
            // n = 6, score = 200
            //   8bf2                 | mov                 esi, edx
            //   8bf8                 | mov                 edi, eax
            //   50                   | push                eax
            //   ff95c5144000         | call                dword ptr [ebp + 0x4014c5]
            //   8bc8                 | mov                 ecx, eax
            //   f3a6                 | repe cmpsb          byte ptr [esi], byte ptr es:[edi]

        $sequence_14 = { 85c0 74f6 c3 8bf7 32c0 }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   74f6                 | je                  0xfffffff8
            //   c3                   | ret                 
            //   8bf7                 | mov                 esi, edi
            //   32c0                 | xor                 al, al

        $sequence_15 = { 7502 eb35 8b7224 0374240c 52 }
            // n = 5, score = 200
            //   7502                 | jne                 4
            //   eb35                 | jmp                 0x37
            //   8b7224               | mov                 esi, dword ptr [edx + 0x24]
            //   0374240c             | add                 esi, dword ptr [esp + 0xc]
            //   52                   | push                edx

        $sequence_16 = { df7de0 df6de0 d81d???????? dfe0 }
            // n = 4, score = 100
            //   df7de0               | fistp               qword ptr [ebp - 0x20]
            //   df6de0               | fild                qword ptr [ebp - 0x20]
            //   d81d????????         |                     
            //   dfe0                 | fnstsw              ax

        $sequence_17 = { 0fb7c0 c1e00a 50 6a06 e8???????? 5d }
            // n = 6, score = 100
            //   0fb7c0               | movzx               eax, ax
            //   c1e00a               | shl                 eax, 0xa
            //   50                   | push                eax
            //   6a06                 | push                6
            //   e8????????           |                     
            //   5d                   | pop                 ebp

        $sequence_18 = { 897704 8d45e8 50 68???????? 6a0c e8???????? }
            // n = 6, score = 100
            //   897704               | mov                 dword ptr [edi + 4], esi
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   68????????           |                     
            //   6a0c                 | push                0xc
            //   e8????????           |                     

        $sequence_19 = { 880411 ff45f0 837df014 7ea6 8b45bc 83e000 }
            // n = 6, score = 100
            //   880411               | mov                 byte ptr [ecx + edx], al
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]
            //   837df014             | cmp                 dword ptr [ebp - 0x10], 0x14
            //   7ea6                 | jle                 0xffffffa8
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   83e000               | and                 eax, 0

        $sequence_20 = { 8d851cfcffff 50 8d850bfaffff 50 }
            // n = 4, score = 100
            //   8d851cfcffff         | lea                 eax, dword ptr [ebp - 0x3e4]
            //   50                   | push                eax
            //   8d850bfaffff         | lea                 eax, dword ptr [ebp - 0x5f5]
            //   50                   | push                eax

        $sequence_21 = { 8bd0 8b442408 8b4804 c74004???????? 53 56 }
            // n = 6, score = 100
            //   8bd0                 | mov                 edx, eax
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   c74004????????       |                     
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_22 = { e8???????? ffb42408010000 50 e8???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   ffb42408010000       | push                dword ptr [esp + 0x108]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_23 = { 894508 fec1 80f904 76bd 8b450c }
            // n = 5, score = 100
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   fec1                 | inc                 cl
            //   80f904               | cmp                 cl, 4
            //   76bd                 | jbe                 0xffffffbf
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules