Malware Analysis Report

2024-12-07 22:08

Sample ID 220619-xnyalahccl
Target b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3
SHA256 b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3

Threat Level: Known bad

The file b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula

Sakula Payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-19 19:00

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-19 19:00

Reported

2022-06-19 19:06

Platform

win7-20220414-en

Max time kernel

117s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1044 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1044 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1044 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1044 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1680 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1680 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1680 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe

"C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1044-54-0x0000000075441000-0x0000000075443000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 1dd1ef27648b18c8a6b145105ddb753a
SHA1 8380ebd4fae777342d11f163c7eb25d7696aa802
SHA256 0fd5a9615ac90575584625c81d0b8dcb442e7bb4a449b0d5a60e55be02fa9a1c
SHA512 9a8878c1f875151c1c96b6aeb57c55e801a1abe2232982dc19a7c0ca1f0b337d758fc50479417236f54178ef49c22ce0873fc1b1a74ad9799d2431a66fb95397

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 1dd1ef27648b18c8a6b145105ddb753a
SHA1 8380ebd4fae777342d11f163c7eb25d7696aa802
SHA256 0fd5a9615ac90575584625c81d0b8dcb442e7bb4a449b0d5a60e55be02fa9a1c
SHA512 9a8878c1f875151c1c96b6aeb57c55e801a1abe2232982dc19a7c0ca1f0b337d758fc50479417236f54178ef49c22ce0873fc1b1a74ad9799d2431a66fb95397

memory/2020-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 1dd1ef27648b18c8a6b145105ddb753a
SHA1 8380ebd4fae777342d11f163c7eb25d7696aa802
SHA256 0fd5a9615ac90575584625c81d0b8dcb442e7bb4a449b0d5a60e55be02fa9a1c
SHA512 9a8878c1f875151c1c96b6aeb57c55e801a1abe2232982dc19a7c0ca1f0b337d758fc50479417236f54178ef49c22ce0873fc1b1a74ad9799d2431a66fb95397

memory/1680-60-0x0000000000000000-mapping.dmp

memory/1512-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-19 19:00

Reported

2022-06-19 19:07

Platform

win10v2004-20220414-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe

"C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b43e87cd35d2ecfe768b328e6033f51c118cbc68bedb6a1ce889aa0e77ad32e3.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 104.208.16.90:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp

Files

memory/3556-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 4b40bffa4690c92841c601b83a2f7686
SHA1 2ffcb243a729771c265b3d72130ed884230f432a
SHA256 0ddbb62ea30568d62c2f1f724b99c7892cd3542d1c607b491891f9f60fe79e79
SHA512 3024a930a55e982559409b5620187d3cc62f530a37dd31c6fe763a07e75e47a40d8e31f81c10e4fc986711f70742e3934c16aa69928a55f67280a98ff9c16b0f

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 4b40bffa4690c92841c601b83a2f7686
SHA1 2ffcb243a729771c265b3d72130ed884230f432a
SHA256 0ddbb62ea30568d62c2f1f724b99c7892cd3542d1c607b491891f9f60fe79e79
SHA512 3024a930a55e982559409b5620187d3cc62f530a37dd31c6fe763a07e75e47a40d8e31f81c10e4fc986711f70742e3934c16aa69928a55f67280a98ff9c16b0f

memory/2492-133-0x0000000000000000-mapping.dmp

memory/4948-134-0x0000000000000000-mapping.dmp