General

  • Target

    001721bed5f3dbf01d95589b4f7f7c221b368fab14877b6b14931c8f58ca910a

  • Size

    151KB

  • Sample

    220212-p4kqfaceb2

  • MD5

    ba293c47cf7db8484c9df776aefe4c42

  • SHA1

    36aa6fe633345bbd5e91ae52b10023531124f04f

  • SHA256

    001721bed5f3dbf01d95589b4f7f7c221b368fab14877b6b14931c8f58ca910a

  • SHA512

    74045600bd3e051cf3f50ae4952d5245da1c59d24d35d15ccc044b76f06638b8ec1e30400268ec3583e0dd2be364c32b6ce871dbcd2dc3dea1d9594c1206790b

Malware Config

Targets

    • Target

      001721bed5f3dbf01d95589b4f7f7c221b368fab14877b6b14931c8f58ca910a

    • Size

      151KB

    • MD5

      ba293c47cf7db8484c9df776aefe4c42

    • SHA1

      36aa6fe633345bbd5e91ae52b10023531124f04f

    • SHA256

      001721bed5f3dbf01d95589b4f7f7c221b368fab14877b6b14931c8f58ca910a

    • SHA512

      74045600bd3e051cf3f50ae4952d5245da1c59d24d35d15ccc044b76f06638b8ec1e30400268ec3583e0dd2be364c32b6ce871dbcd2dc3dea1d9594c1206790b

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Tasks