Malware Analysis Report

2025-01-02 02:57

Sample ID 220224-m9bnlschc6
Target 2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c
SHA256 2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c

Threat Level: Known bad

The file 2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula Payload

Sakula family

Sakula

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-24 11:09

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win7-en-20211208

Max time kernel

118s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1904 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1904 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1904 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1904 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 968 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 968 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 968 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1904-55-0x0000000076731000-0x0000000076733000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0adfb8351d03c0951c40583d8e825b7c
SHA1 21313c67348e6b1423ad196bfcefe15c9b35de55
SHA256 edf43c9f681f41c02f168ec0db73a57e3c3d403fc6c88f2e3ad4587f1d764c2e
SHA512 5662ea84349408f2cb5a76e668591e1a39a83704b147b12c3a661c66e66bb8c764ad4b27677f69e0d0dc78d331c1933e1cf2b92489eda85db8e9097122ed4b6d

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0adfb8351d03c0951c40583d8e825b7c
SHA1 21313c67348e6b1423ad196bfcefe15c9b35de55
SHA256 edf43c9f681f41c02f168ec0db73a57e3c3d403fc6c88f2e3ad4587f1d764c2e
SHA512 5662ea84349408f2cb5a76e668591e1a39a83704b147b12c3a661c66e66bb8c764ad4b27677f69e0d0dc78d331c1933e1cf2b92489eda85db8e9097122ed4b6d

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0adfb8351d03c0951c40583d8e825b7c
SHA1 21313c67348e6b1423ad196bfcefe15c9b35de55
SHA256 edf43c9f681f41c02f168ec0db73a57e3c3d403fc6c88f2e3ad4587f1d764c2e
SHA512 5662ea84349408f2cb5a76e668591e1a39a83704b147b12c3a661c66e66bb8c764ad4b27677f69e0d0dc78d331c1933e1cf2b92489eda85db8e9097122ed4b6d

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win10-20220223-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 7e6611e45c883891d67895effab31407
SHA1 2589eefb31594d16e351b9c88eac5e506d7d4685
SHA256 5dca12b2c045b3457059321de67ca74aa37327fd38485295a9c64291bb463ca5
SHA512 b4bf294a5671600531ac7bd02d9851fb7eb94a7c076129c6755d549067288dbdd120f778dce4a2fe5f006433e9bcad7f46c020b92e93f52fdd373fae4b252825

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 7e6611e45c883891d67895effab31407
SHA1 2589eefb31594d16e351b9c88eac5e506d7d4685
SHA256 5dca12b2c045b3457059321de67ca74aa37327fd38485295a9c64291bb463ca5
SHA512 b4bf294a5671600531ac7bd02d9851fb7eb94a7c076129c6755d549067288dbdd120f778dce4a2fe5f006433e9bcad7f46c020b92e93f52fdd373fae4b252825

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win10v2004-en-20220112

Max time kernel

138s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.143.87.28:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 af2a39ca573d13be6f831e30f371a190
SHA1 cdeb68e885abe6cf5883e9580d0ee3a800bafa90
SHA256 b8e31f9cfc4c6e4993d11e465ed79c92d8613149f0e4b2b65a944c0d138c5ea7
SHA512 8b210847e5612fdce1ada8551d8758dccb7425f02967940706e847ff48514566bb2a10ecf6c6363ff9a505c16d010ef41f059481c7b81d4edf8789faef65d8cd

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 af2a39ca573d13be6f831e30f371a190
SHA1 cdeb68e885abe6cf5883e9580d0ee3a800bafa90
SHA256 b8e31f9cfc4c6e4993d11e465ed79c92d8613149f0e4b2b65a944c0d138c5ea7
SHA512 8b210847e5612fdce1ada8551d8758dccb7425f02967940706e847ff48514566bb2a10ecf6c6363ff9a505c16d010ef41f059481c7b81d4edf8789faef65d8cd