Malware Analysis Report

2024-12-07 22:06

Sample ID 220326-d7673afha5
Target 962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f
SHA256 962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f

Threat Level: Known bad

The file 962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Modifies registry key

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 03:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 03:40

Reported

2022-03-26 19:59

Platform

win7-20220310-en

Max time kernel

4294193s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2044 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2044 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2044 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1196 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1196 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1196 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1196 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe

"C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/2016-54-0x00000000765D1000-0x00000000765D3000-memory.dmp

memory/2016-55-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1980-56-0x0000000000000000-mapping.dmp

memory/1196-57-0x0000000000000000-mapping.dmp

memory/2044-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0f014d58b4cc6411e5ec4ca445dcbdbf
SHA1 e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe
SHA256 20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613
SHA512 0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0f014d58b4cc6411e5ec4ca445dcbdbf
SHA1 e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe
SHA256 20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613
SHA512 0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

memory/1744-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0f014d58b4cc6411e5ec4ca445dcbdbf
SHA1 e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe
SHA256 20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613
SHA512 0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

memory/820-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0f014d58b4cc6411e5ec4ca445dcbdbf
SHA1 e895e3ddaf1dace0ac4e65e46fbf34ec89c655fe
SHA256 20712d629b8b42dd8e73a5ae255c76b7d933a83f5c348d52ff5645332d394613
SHA512 0fac9485b1750aff2996effd6a13a2e507d501c357a32ab625b4f4ee4309c1209cd743c211a06b1361c6dff3bceba72e4913176c602bcbc56b6274dbfd554b32

memory/1880-66-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 03:40

Reported

2022-03-26 19:52

Platform

win10v2004-en-20220113

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5096 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3720 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5096 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3720 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5096 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4316 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 4316 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 4316 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe

"C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
NL 104.110.191.133:80 tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/5096-130-0x0000000000000000-mapping.dmp

memory/4316-131-0x0000000000000000-mapping.dmp

memory/3720-132-0x0000000000000000-mapping.dmp

memory/4720-133-0x0000000000400000-0x000000000040B000-memory.dmp

memory/560-135-0x0000000000000000-mapping.dmp

memory/4672-134-0x0000000000000000-mapping.dmp

memory/3440-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 c81ab6ef72b6160928df060288c96774
SHA1 4536573fd5b7a19580a8d107aba51b88337bb4c3
SHA256 167f30bd9f16acffd8de9ae258710d2383aed2a72589fc30d6935387feb8a23f
SHA512 728d04a9bc932383d3c687c37eb7dee9a3fd7f5be23c1b3d5f826c4079164811b162cb3f8fee77f922cccc119de949d8a659c2e6043134f13f163b1702c225fa

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 c81ab6ef72b6160928df060288c96774
SHA1 4536573fd5b7a19580a8d107aba51b88337bb4c3
SHA256 167f30bd9f16acffd8de9ae258710d2383aed2a72589fc30d6935387feb8a23f
SHA512 728d04a9bc932383d3c687c37eb7dee9a3fd7f5be23c1b3d5f826c4079164811b162cb3f8fee77f922cccc119de949d8a659c2e6043134f13f163b1702c225fa

memory/3440-139-0x0000000000400000-0x000000000040B000-memory.dmp