Malware Analysis Report

2025-01-02 02:52

Sample ID 220323-s97zpsgef5
Target 2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1
SHA256 2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1

Threat Level: Known bad

The file 2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula Payload

Sakula

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 15:50

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 15:50

Reported

2022-03-23 15:53

Platform

win7-20220311-en

Max time kernel

4294209s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1184 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1184 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1184 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1184 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1680 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1680 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1680 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe

"C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/1184-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 568de8afeeb1793e153261b7f42ed314
SHA1 9d662d955769754f0c5f896519bf7cd15683727e
SHA256 aba4fb190f887ae6010aedf3cd7023f977545680765322055524a43f5e96aebc
SHA512 0cb21c63edba3cb584889d65121fc7a0392ac8c0aa1fa7a400b2abc648a4e6cd506f331811dcfe31c85195ef3f5bde1236f5c386bdeba85ab22c79896c484034

memory/852-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 568de8afeeb1793e153261b7f42ed314
SHA1 9d662d955769754f0c5f896519bf7cd15683727e
SHA256 aba4fb190f887ae6010aedf3cd7023f977545680765322055524a43f5e96aebc
SHA512 0cb21c63edba3cb584889d65121fc7a0392ac8c0aa1fa7a400b2abc648a4e6cd506f331811dcfe31c85195ef3f5bde1236f5c386bdeba85ab22c79896c484034

memory/1680-59-0x0000000000000000-mapping.dmp

memory/1488-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 15:50

Reported

2022-03-23 15:53

Platform

win10v2004-en-20220113

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe

"C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2b219ee94ccd3dab012a2a6f5b55e4dde7f0e14d4df72caa6bc650c53ca1c0c1.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
IE 52.109.76.31:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
NL 20.50.201.200:443 tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 55d72d996f223f643f0bf427be37bc11
SHA1 8973ac29c299b3649e626a5d15a55c74f7005d07
SHA256 041cf75bf51a81be9e6c3e95d4c285108ecadcfefa528613f7e8c4783e78883f
SHA512 3671e7ee86192b5b0cb6443af52c8dc68603439838a0b709b93b27b747a583015c7be78c724d6ef1d3b4dc80a042fe29813936433c088cf6ccc8a687e0e71428

memory/2964-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 55d72d996f223f643f0bf427be37bc11
SHA1 8973ac29c299b3649e626a5d15a55c74f7005d07
SHA256 041cf75bf51a81be9e6c3e95d4c285108ecadcfefa528613f7e8c4783e78883f
SHA512 3671e7ee86192b5b0cb6443af52c8dc68603439838a0b709b93b27b747a583015c7be78c724d6ef1d3b4dc80a042fe29813936433c088cf6ccc8a687e0e71428

memory/2104-133-0x0000000000000000-mapping.dmp

memory/4088-134-0x0000000000000000-mapping.dmp