sakula | 962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f

General

Target

962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe
Size

42KB
MD5

0df6396e7775f62dba90ff08a846cc34
SHA1

6bbc28cd80acc12f222c45b8ab93a7b34f0d6b48
SHA256

962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f
SHA512

7f46b8d2b8f0281d249e626c9e1dcbffe1b8054ea926e3bbb53cceb029d40843a33c986bc6d17ebbec992b395cf288e2b61e37a3d42036eef9c5f1521e24c2df

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1744 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1196 cmd.exe
1196 cmd.exe

pid	process
1744	MediaCenter.exe

pid	process
2044	cmd.exe

pid	process
1196	cmd.exe
1196	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1880 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

820 PING.EXE

pid	process
1880	reg.exe

pid	process
820	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1980	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 1980	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 1980	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 1980	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 1196	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 1196	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 1196	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 1196	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 2044	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 2044	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 2044	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2016 wrote to memory of 2044	2016	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 2044 wrote to memory of 820	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 820	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 820	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 820	2044	cmd.exe	PING.EXE
PID 1196 wrote to memory of 1744	1196	cmd.exe	MediaCenter.exe
PID 1196 wrote to memory of 1744	1196	cmd.exe	MediaCenter.exe
PID 1196 wrote to memory of 1744	1196	cmd.exe	MediaCenter.exe
PID 1196 wrote to memory of 1744	1196	cmd.exe	MediaCenter.exe
PID 1980 wrote to memory of 1880	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1880	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1880	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1880	1980	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe
"C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0f014d58b4cc6411e5ec4ca445dcbdbf

SHA1
e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe

SHA256
20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613

SHA512
0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0f014d58b4cc6411e5ec4ca445dcbdbf

SHA1
e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe

SHA256
20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613

SHA512
0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0f014d58b4cc6411e5ec4ca445dcbdbf

SHA1
e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe

SHA256
20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613

SHA512
0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0f014d58b4cc6411e5ec4ca445dcbdbf

SHA1
e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe

SHA256
20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613

SHA512
0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

Download Submit
memory/820-61-0x0000000000000000-mapping.dmp

Download
memory/1196-57-0x0000000000000000-mapping.dmp

Download
memory/1744-63-0x0000000000000000-mapping.dmp

Download
memory/1880-66-0x0000000000000000-mapping.dmp

Download
memory/1980-56-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x00000000765D1000-0x00000000765D3000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing