sakula | 82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c

General

Target

82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe
Size

44KB
MD5

c37ff8b3db540a36ae8cdaf672330283
SHA1

0be70fcd35c3561d178b35606232046d2b9c656e
SHA256

82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c
SHA512

2e1710f178487f560cf744ffa8488fde1dab7a8f685c63e77e05f1fe8034f2fbf2bed64daf4859cc57ba1c58ab25ebe191bd96db7ccd9abd58c1e65d8ebbf4be

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1212 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2008 cmd.exe
2008 cmd.exe

pid	process
1212	MediaCenter.exe

pid	process
1684	cmd.exe

pid	process
2008	cmd.exe
2008	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1460 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

628 PING.EXE

pid	process
1460	reg.exe

pid	process
628	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 2000	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 2000	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 2000	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 2000	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 2008	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 2008	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 2008	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 2008	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 1684	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 1684	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 1684	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2032 wrote to memory of 1684	2032	82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe	cmd.exe
PID 2000 wrote to memory of 1460	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1460	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1460	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1460	2000	cmd.exe	reg.exe
PID 1684 wrote to memory of 628	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 628	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 628	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 628	1684	cmd.exe	PING.EXE
PID 2008 wrote to memory of 1212	2008	cmd.exe	MediaCenter.exe
PID 2008 wrote to memory of 1212	2008	cmd.exe	MediaCenter.exe
PID 2008 wrote to memory of 1212	2008	cmd.exe	MediaCenter.exe
PID 2008 wrote to memory of 1212	2008	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe
"C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
2c2983840dcd9b2202b769c9289a7f02

SHA1
d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3

SHA256
0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf

SHA512
8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
2c2983840dcd9b2202b769c9289a7f02

SHA1
d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3

SHA256
0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf

SHA512
8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
2c2983840dcd9b2202b769c9289a7f02

SHA1
d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3

SHA256
0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf

SHA512
8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
2c2983840dcd9b2202b769c9289a7f02

SHA1
d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3

SHA256
0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf

SHA512
8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

Download Submit
memory/628-62-0x0000000000000000-mapping.dmp

Download
memory/1212-64-0x0000000000000000-mapping.dmp

Download
memory/1460-61-0x0000000000000000-mapping.dmp

Download
memory/1684-57-0x0000000000000000-mapping.dmp

Download
memory/2000-55-0x0000000000000000-mapping.dmp

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2032-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing