sakula | 6bef3daf882386d3d6e0b06e4e55675dd0f5f7afebfa0056551b7f9cf9a48c90

General

Target

e099a64759ca26fd00eab5a428b9754b.exe
Size

43KB
MD5

e099a64759ca26fd00eab5a428b9754b
SHA1

0b7dc4c4db22998bdcb6727710a83bb05ada94cf
SHA256

6bef3daf882386d3d6e0b06e4e55675dd0f5f7afebfa0056551b7f9cf9a48c90
SHA512

f0dd54098f27598f91d0462c4bf42e573d008a0de08266927fcba21c79768e8cba101af40f5adaa95dc313b77e4a8ccf94cef41b200b0d520e16986d240be973
SSDEEP

384:MnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYwwsRhg7+iXXRodY6kLdAeMa:1hSksandb4GgyMsp4hyYtoVxYdT7ZXqC

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1084 MediaCenter.exe

pid	process
1084	MediaCenter.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/240-55-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/240-59-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/1936-70-0x0000000000160000-0x000000000016D000-memory.dmp	upx
behavioral1/memory/1084-72-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1428 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1936 cmd.exe
1936 cmd.exe

pid	process
1428	cmd.exe

pid	process
1936	cmd.exe
1936	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1112 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

908 PING.EXE

pid	process
1112	reg.exe

pid	process
908	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e099a64759ca26fd00eab5a428b9754b.execmd.execmd.execmd.exe

description	pid	process	target process
PID 240 wrote to memory of 952	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 952	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 952	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 952	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1936	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1936	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1936	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1936	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1428	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1428	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1428	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 240 wrote to memory of 1428	240	e099a64759ca26fd00eab5a428b9754b.exe	cmd.exe
PID 952 wrote to memory of 1112	952	cmd.exe	reg.exe
PID 952 wrote to memory of 1112	952	cmd.exe	reg.exe
PID 952 wrote to memory of 1112	952	cmd.exe	reg.exe
PID 952 wrote to memory of 1112	952	cmd.exe	reg.exe
PID 1936 wrote to memory of 1084	1936	cmd.exe	MediaCenter.exe
PID 1936 wrote to memory of 1084	1936	cmd.exe	MediaCenter.exe
PID 1936 wrote to memory of 1084	1936	cmd.exe	MediaCenter.exe
PID 1936 wrote to memory of 1084	1936	cmd.exe	MediaCenter.exe
PID 1428 wrote to memory of 908	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 908	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 908	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 908	1428	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe
"C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
43KB

MD5
29017d4c24afa23da3ed2ea198c26193

SHA1
e03ceb3ca91d319a28803d7d5a9e72625a04f3f0

SHA256
a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc

SHA512
6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
43KB

MD5
29017d4c24afa23da3ed2ea198c26193

SHA1
e03ceb3ca91d319a28803d7d5a9e72625a04f3f0

SHA256
a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc

SHA512
6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
43KB

MD5
29017d4c24afa23da3ed2ea198c26193

SHA1
e03ceb3ca91d319a28803d7d5a9e72625a04f3f0

SHA256
a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc

SHA512
6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
43KB

MD5
29017d4c24afa23da3ed2ea198c26193

SHA1
e03ceb3ca91d319a28803d7d5a9e72625a04f3f0

SHA256
a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc

SHA512
6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

Download Submit
memory/240-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/240-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/240-59-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/908-65-0x0000000000000000-mapping.dmp

Download
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/1084-64-0x0000000000000000-mapping.dmp

Download
memory/1084-72-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1112-60-0x0000000000000000-mapping.dmp

Download
memory/1428-58-0x0000000000000000-mapping.dmp

Download
memory/1936-57-0x0000000000000000-mapping.dmp

Download
memory/1936-68-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/1936-69-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/1936-70-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/1936-71-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads