sakula | 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c

General

Target

5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe
Size

40KB
MD5

1cc8846038d84ed445d3a71fd4fc88eb
SHA1

85c988e1827cf3aa75926be7c002c71585013b04
SHA256

5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c
SHA512

890d2cca605adfabb6c4104b2a6aad1503abc513f037d9f98b2f6ad113ed1edc3b287e3f4211c31f577c9b7ca181d0c0cbc701f2066e4e22439f9fea6918383c

Score

10^/10

sakula persistence rat suricata trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4604 MediaCenter.exe

pid	process
4604	MediaCenter.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2324-133-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/4604-139-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4620 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2104 PING.EXE

pid	process
4620	reg.exe

pid	process
2104	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2324 wrote to memory of 4820	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 4820	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 4820	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 372	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 372	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 372	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 2604	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 2604	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2324 wrote to memory of 2604	2324	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 2604 wrote to memory of 2104	2604	cmd.exe	PING.EXE
PID 2604 wrote to memory of 2104	2604	cmd.exe	PING.EXE
PID 2604 wrote to memory of 2104	2604	cmd.exe	PING.EXE
PID 4820 wrote to memory of 4620	4820	cmd.exe	reg.exe
PID 4820 wrote to memory of 4620	4820	cmd.exe	reg.exe
PID 4820 wrote to memory of 4620	4820	cmd.exe	reg.exe
PID 372 wrote to memory of 4604	372	cmd.exe	MediaCenter.exe
PID 372 wrote to memory of 4604	372	cmd.exe	MediaCenter.exe
PID 372 wrote to memory of 4604	372	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe
"C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
1⤵
- Adds Run key to start application
- Modifies registry key
PID:4620

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
1⤵
- Runs ping.exe
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
77cc13e7775c7f2f551342d0bf80d4af

SHA1
32d4134db40de9ccfff369f06c428cc81908ba65

SHA256
24832259bdc017e1ed5e1d23b362a1efaa42255f45e521f940c6b85ae1588148

SHA512
24741c90cc11cee638d15fad1d9fbe97e6a2f58efb678ee405c955a4d8b0b99666e1d1eb76032a41508c2e35490904b3863fc0ed3d40e91589c409d0d08f714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
77cc13e7775c7f2f551342d0bf80d4af

SHA1
32d4134db40de9ccfff369f06c428cc81908ba65

SHA256
24832259bdc017e1ed5e1d23b362a1efaa42255f45e521f940c6b85ae1588148

SHA512
24741c90cc11cee638d15fad1d9fbe97e6a2f58efb678ee405c955a4d8b0b99666e1d1eb76032a41508c2e35490904b3863fc0ed3d40e91589c409d0d08f714e

Download Submit
memory/372-131-0x0000000000000000-mapping.dmp

Download
memory/2104-134-0x0000000000000000-mapping.dmp

Download
memory/2324-133-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2604-132-0x0000000000000000-mapping.dmp

Download
memory/4604-136-0x0000000000000000-mapping.dmp

Download
memory/4604-139-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4620-135-0x0000000000000000-mapping.dmp

Download
memory/4820-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads