sakula | 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba

General

Target

06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe
Size

200KB
MD5

cc730862f06bc3554660bcff94c78047
SHA1

bc857b68028dbe836b9452f5a0de36de2bab382f
SHA256

06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba
SHA512

f874b9afb9b483fe013aff7636d1234a928eed6c5b072fd712977c85107ced809fef1ed38fdd567872239d81d27584710a94e270b1c639e19f3e97528f3839c6

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/848-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1068-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1068 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1768 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

pid process

848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

pid	process
1068	MediaCenter.exe

pid	process
1768	cmd.exe

pid	process
848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1512 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

description pid process

Token: SeIncBasePriorityPrivilege 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

pid	process
1512	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 1068	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	MediaCenter.exe
PID 848 wrote to memory of 1068	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	MediaCenter.exe
PID 848 wrote to memory of 1068	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	MediaCenter.exe
PID 848 wrote to memory of 1068	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	MediaCenter.exe
PID 848 wrote to memory of 1768	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	cmd.exe
PID 848 wrote to memory of 1768	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	cmd.exe
PID 848 wrote to memory of 1768	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	cmd.exe
PID 848 wrote to memory of 1768	848	06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe	cmd.exe
PID 1768 wrote to memory of 1512	1768	cmd.exe	PING.EXE
PID 1768 wrote to memory of 1512	1768	cmd.exe	PING.EXE
PID 1768 wrote to memory of 1512	1768	cmd.exe	PING.EXE
PID 1768 wrote to memory of 1512	1768	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe
"C:\Users\Admin\AppData\Local\Temp\06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
ce0f266e46dd6e39acb3e94551afd92d

SHA1
c3cfd8694baaa4768b3b134a2f46acda22eabfb1

SHA256
b81bbd1cf1ddab36ac58f3fce150d4bf9300b1353846d33cd205a536ad7d2d07

SHA512
853659de1f15f3f11e97727f5137a2637349f3a93e7919fb8c852cd7f56a4e2d307dc17e7c92c1cb0977eaef235f40c5dac6a552a02589c2108c581201635a93

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
ce0f266e46dd6e39acb3e94551afd92d

SHA1
c3cfd8694baaa4768b3b134a2f46acda22eabfb1

SHA256
b81bbd1cf1ddab36ac58f3fce150d4bf9300b1353846d33cd205a536ad7d2d07

SHA512
853659de1f15f3f11e97727f5137a2637349f3a93e7919fb8c852cd7f56a4e2d307dc17e7c92c1cb0977eaef235f40c5dac6a552a02589c2108c581201635a93

Download Submit
memory/848-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/848-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1068-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads