Malware Analysis Report

2025-01-02 02:55

Sample ID 220224-m8635achc5
Target efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636
SHA256 efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636

Threat Level: Known bad

The file efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula Payload

Sakula family

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-24 11:09

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:11

Platform

win7-en-20211208

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1180 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1180 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1180 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1180 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1408 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1408 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1408 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1180-55-0x0000000075831000-0x0000000075833000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 56510ab3d09d97ce06e5263ecb38253a
SHA1 ca93eee96299a775d7d080526967b947f2eee5af
SHA256 55cd3ffd523cbc9ba476e015da24a9b6c284f91ebff315ec843e8c235d4c3444
SHA512 abcf87f3051c320055025db3f4f4e05656162e992cf5f6c9f321ae9dae1022ccc9a68958d8bd01d9c328c7b2635b5cf902b7eaa641657fd9d983b3149f2ede29

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 56510ab3d09d97ce06e5263ecb38253a
SHA1 ca93eee96299a775d7d080526967b947f2eee5af
SHA256 55cd3ffd523cbc9ba476e015da24a9b6c284f91ebff315ec843e8c235d4c3444
SHA512 abcf87f3051c320055025db3f4f4e05656162e992cf5f6c9f321ae9dae1022ccc9a68958d8bd01d9c328c7b2635b5cf902b7eaa641657fd9d983b3149f2ede29

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 56510ab3d09d97ce06e5263ecb38253a
SHA1 ca93eee96299a775d7d080526967b947f2eee5af
SHA256 55cd3ffd523cbc9ba476e015da24a9b6c284f91ebff315ec843e8c235d4c3444
SHA512 abcf87f3051c320055025db3f4f4e05656162e992cf5f6c9f321ae9dae1022ccc9a68958d8bd01d9c328c7b2635b5cf902b7eaa641657fd9d983b3149f2ede29

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:11

Platform

win10-20220223-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6be00512583131bd6d7ad12d27ad14c3
SHA1 5aaa73028b12494e736f0a152372b15309e5ac0c
SHA256 a558a5503420bb772a4eb64355c13dc49a1382a020f7874dd140c68589ff4acc
SHA512 3f04e9bc2716a46fd14dce4d889f2a03f21529b9a1d9b927e25925f787d19f32004a1260ff8a65e1f4fae394202b182540043ec0eca0b88a18b781c4b380247f

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6be00512583131bd6d7ad12d27ad14c3
SHA1 5aaa73028b12494e736f0a152372b15309e5ac0c
SHA256 a558a5503420bb772a4eb64355c13dc49a1382a020f7874dd140c68589ff4acc
SHA512 3f04e9bc2716a46fd14dce4d889f2a03f21529b9a1d9b927e25925f787d19f32004a1260ff8a65e1f4fae394202b182540043ec0eca0b88a18b781c4b380247f

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:11

Platform

win10v2004-en-20220113

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 f831c6aac2591fb6d15448221e261040
SHA1 d725de14fcf0b3ca0fbc907c01583d72a1f32520
SHA256 deb6502f1855ec719d5626c4c2628bbd94102edb673eb5f243f9758c7f355add
SHA512 068fd2925e8e581bd3d444bee8d4fe73ef59b13a53545ef76e57d869129179df6cb63a0f7f0d1b9109b07a926567582f84ac3f16a9daf1d4da6ca75b23d090bd

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 f831c6aac2591fb6d15448221e261040
SHA1 d725de14fcf0b3ca0fbc907c01583d72a1f32520
SHA256 deb6502f1855ec719d5626c4c2628bbd94102edb673eb5f243f9758c7f355add
SHA512 068fd2925e8e581bd3d444bee8d4fe73ef59b13a53545ef76e57d869129179df6cb63a0f7f0d1b9109b07a926567582f84ac3f16a9daf1d4da6ca75b23d090bd