Malware Analysis Report

2024-12-07 22:06

Sample ID 220323-ljw17agbcr
Target dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2
SHA256 dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2

Threat Level: Known bad

The file dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula Payload

Sakula

Sakula family

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 09:34

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 09:34

Reported

2022-03-23 09:40

Platform

win7-20220311-en

Max time kernel

4294184s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1504 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1504 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1504 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe

"C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1980-54-0x0000000075081000-0x0000000075083000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 10e7120433035b58ca5187070e01c386
SHA1 35b174398661b22a62743b25ea485a419aecd1eb
SHA256 c4c9488e8dac6ae141028528ff7e989e6c9f95df659df261d867823280de292b
SHA512 c7a945c55b684b222848625fd331e732692e7cebfc193c5f5fc6bd28b65d8d203f28591ce6190f7fdf7e44be6de9191ad5599190aedc10a319a2a6ccb5cd0227

memory/1816-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 10e7120433035b58ca5187070e01c386
SHA1 35b174398661b22a62743b25ea485a419aecd1eb
SHA256 c4c9488e8dac6ae141028528ff7e989e6c9f95df659df261d867823280de292b
SHA512 c7a945c55b684b222848625fd331e732692e7cebfc193c5f5fc6bd28b65d8d203f28591ce6190f7fdf7e44be6de9191ad5599190aedc10a319a2a6ccb5cd0227

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 10e7120433035b58ca5187070e01c386
SHA1 35b174398661b22a62743b25ea485a419aecd1eb
SHA256 c4c9488e8dac6ae141028528ff7e989e6c9f95df659df261d867823280de292b
SHA512 c7a945c55b684b222848625fd331e732692e7cebfc193c5f5fc6bd28b65d8d203f28591ce6190f7fdf7e44be6de9191ad5599190aedc10a319a2a6ccb5cd0227

memory/1504-60-0x0000000000000000-mapping.dmp

memory/1056-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 09:34

Reported

2022-03-23 09:40

Platform

win10v2004-en-20220113

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe

"C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/5100-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 7e0a030fad5682ba7c1511a27b9a9a8f
SHA1 50ca858ef34c8ea6fa42d6453c31a16373e56c01
SHA256 c1a0371a508d4edb574322a58ea18a259fa69a4635883ad1e6d2de39940bf72c
SHA512 16752efc21db2b75e2c2b97c906172470123e6457a0fd02628e1eba0834427e8d3ad9886994eb92ffb3d379cd02043636c9dfbd8fcb4196df12809aac078eec3

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 7e0a030fad5682ba7c1511a27b9a9a8f
SHA1 50ca858ef34c8ea6fa42d6453c31a16373e56c01
SHA256 c1a0371a508d4edb574322a58ea18a259fa69a4635883ad1e6d2de39940bf72c
SHA512 16752efc21db2b75e2c2b97c906172470123e6457a0fd02628e1eba0834427e8d3ad9886994eb92ffb3d379cd02043636c9dfbd8fcb4196df12809aac078eec3

memory/2672-133-0x0000000000000000-mapping.dmp

memory/1440-134-0x0000000000000000-mapping.dmp