sakula | 438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553

General

Target

438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe
Size

42KB
MD5

2f2a05582e1b8b5a71811c9c68fe3eec
SHA1

22e1cedd966a64615fc76a0a5a3653c058766b80
SHA256

438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553
SHA512

2c22e32b72e76770227452a928f5579dbc799e0260bd8f51f983e16a64f950bb4259cdbd491533bcf94d2cadc95421322e009684dcc60fed148c2ff2195ef07f

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1992 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2040 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1208 cmd.exe
1208 cmd.exe

pid	process
1992	MediaCenter.exe

pid	process
2040	cmd.exe

pid	process
1208	cmd.exe
1208	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1380 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

932 PING.EXE

pid	process
1380	reg.exe

pid	process
932	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 1064	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 1064	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 1064	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 1064	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 1208	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 1208	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 1208	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 1208	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 2040	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 2040	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 2040	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1524 wrote to memory of 2040	1524	438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe	cmd.exe
PID 1208 wrote to memory of 1992	1208	cmd.exe	MediaCenter.exe
PID 1208 wrote to memory of 1992	1208	cmd.exe	MediaCenter.exe
PID 1208 wrote to memory of 1992	1208	cmd.exe	MediaCenter.exe
PID 1208 wrote to memory of 1992	1208	cmd.exe	MediaCenter.exe
PID 1064 wrote to memory of 1380	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1380	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1380	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1380	1064	cmd.exe	reg.exe
PID 2040 wrote to memory of 932	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 932	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 932	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 932	2040	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe
"C:\Users\Admin\AppData\Local\Temp\438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\438f9ed2b694491948810fa0d58203501535c5648b96ae6bc2870f2c83d02553.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
4fc6f86c8e5cb0c12927f68233452b83

SHA1
281a10a62213c948fa383441d56a5fdae38fadd9

SHA256
1d172d124b85716c8f3a277bd741ae92a30308b1f69eeffbfd6314efdd3aaa16

SHA512
d5da1acdbed1d6444d743cefbde9f410e133a3ba25b5001a5dce75a9e46e468f55bb3bc4cff83ee2b7f7488cf4e1e4663888be33a02ee1b2820a237f4c59b337

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
4fc6f86c8e5cb0c12927f68233452b83

SHA1
281a10a62213c948fa383441d56a5fdae38fadd9

SHA256
1d172d124b85716c8f3a277bd741ae92a30308b1f69eeffbfd6314efdd3aaa16

SHA512
d5da1acdbed1d6444d743cefbde9f410e133a3ba25b5001a5dce75a9e46e468f55bb3bc4cff83ee2b7f7488cf4e1e4663888be33a02ee1b2820a237f4c59b337

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
4fc6f86c8e5cb0c12927f68233452b83

SHA1
281a10a62213c948fa383441d56a5fdae38fadd9

SHA256
1d172d124b85716c8f3a277bd741ae92a30308b1f69eeffbfd6314efdd3aaa16

SHA512
d5da1acdbed1d6444d743cefbde9f410e133a3ba25b5001a5dce75a9e46e468f55bb3bc4cff83ee2b7f7488cf4e1e4663888be33a02ee1b2820a237f4c59b337

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
4fc6f86c8e5cb0c12927f68233452b83

SHA1
281a10a62213c948fa383441d56a5fdae38fadd9

SHA256
1d172d124b85716c8f3a277bd741ae92a30308b1f69eeffbfd6314efdd3aaa16

SHA512
d5da1acdbed1d6444d743cefbde9f410e133a3ba25b5001a5dce75a9e46e468f55bb3bc4cff83ee2b7f7488cf4e1e4663888be33a02ee1b2820a237f4c59b337

Download Submit
memory/932-67-0x0000000000000000-mapping.dmp

Download
memory/1064-58-0x0000000000000000-mapping.dmp

Download
memory/1208-59-0x0000000000000000-mapping.dmp

Download
memory/1208-71-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/1208-70-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/1208-69-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/1380-65-0x0000000000000000-mapping.dmp

Download
memory/1524-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1524-54-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1524-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1524-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1992-64-0x0000000000000000-mapping.dmp

Download
memory/1992-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing