General

  • Target

    00070fe0fe6962fa10a1baed2d7c30252be6b42b4a514d4dbe65b55590b0b1f9

  • Size

    100KB

  • Sample

    220212-p46ynsecdk

  • MD5

    ceb48121c589937a7944e798704a0eee

  • SHA1

    70c7fbb325eabb3c2553cef87fd20618a66528b9

  • SHA256

    00070fe0fe6962fa10a1baed2d7c30252be6b42b4a514d4dbe65b55590b0b1f9

  • SHA512

    69be5eddba49d49204ab8dcf7c1bf254347aa066b6e827308eb5ecabcc87c24579e22b2817e3f43273549b2a9f7dfb912b0b20ab30e1025557e6233c15d1ec31

Malware Config

Targets

    • Target

      00070fe0fe6962fa10a1baed2d7c30252be6b42b4a514d4dbe65b55590b0b1f9

    • Size

      100KB

    • MD5

      ceb48121c589937a7944e798704a0eee

    • SHA1

      70c7fbb325eabb3c2553cef87fd20618a66528b9

    • SHA256

      00070fe0fe6962fa10a1baed2d7c30252be6b42b4a514d4dbe65b55590b0b1f9

    • SHA512

      69be5eddba49d49204ab8dcf7c1bf254347aa066b6e827308eb5ecabcc87c24579e22b2817e3f43273549b2a9f7dfb912b0b20ab30e1025557e6233c15d1ec31

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Tasks