sakula | 1b5cce8b8a38d3caef308cb2200f7a3c5439f47936e63e0a9683e5c80f44116b

General

Target

6c2a5e3bda43426781fbb5693fdf2a96.exe
Size

43KB
MD5

6c2a5e3bda43426781fbb5693fdf2a96
SHA1

32f70a92f99232b52e1f9683d2788c7c90ed5df0
SHA256

1b5cce8b8a38d3caef308cb2200f7a3c5439f47936e63e0a9683e5c80f44116b
SHA512

416964a6224ad459b8875f45eb19f4750da1cfd63cac2412c36c1918898a9d66a9750453bf2964f4ccbd311e804864f7fe97ed8d3f3ff80e7ce430d7a6953c4d
SSDEEP

384:MnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYwwsRhg7+iXXRodY6kLdAeMB:1hSksandb4GgyMsp4hyYtoVxYdT7ZXqJ

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1168 MediaCenter.exe

pid	process
1168	MediaCenter.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1388-55-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/1388-59-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/2012-66-0x0000000000130000-0x000000000013D000-memory.dmp	upx
behavioral1/memory/2012-70-0x0000000000130000-0x000000000013D000-memory.dmp	upx
behavioral1/memory/1168-72-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1164 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2012 cmd.exe
2012 cmd.exe

pid	process
1164	cmd.exe

pid	process
2012	cmd.exe
2012	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

912 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

904 PING.EXE

pid	process
912	reg.exe

pid	process
904	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6c2a5e3bda43426781fbb5693fdf2a96.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1388 wrote to memory of 792	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 792	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 792	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 792	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 2012	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 2012	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 2012	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 2012	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 1164	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 1164	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 1164	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 1388 wrote to memory of 1164	1388	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 2012 wrote to memory of 1168	2012	cmd.exe	MediaCenter.exe
PID 2012 wrote to memory of 1168	2012	cmd.exe	MediaCenter.exe
PID 2012 wrote to memory of 1168	2012	cmd.exe	MediaCenter.exe
PID 2012 wrote to memory of 1168	2012	cmd.exe	MediaCenter.exe
PID 792 wrote to memory of 912	792	cmd.exe	reg.exe
PID 792 wrote to memory of 912	792	cmd.exe	reg.exe
PID 792 wrote to memory of 912	792	cmd.exe	reg.exe
PID 792 wrote to memory of 912	792	cmd.exe	reg.exe
PID 1164 wrote to memory of 904	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 904	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 904	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 904	1164	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe
"C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
2d5d0cefc576aa916383504e1baba102

SHA1
97cae77569916e6922d9cf585f335b4b12540191

SHA256
abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717

SHA512
b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
2d5d0cefc576aa916383504e1baba102

SHA1
97cae77569916e6922d9cf585f335b4b12540191

SHA256
abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717

SHA512
b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
2d5d0cefc576aa916383504e1baba102

SHA1
97cae77569916e6922d9cf585f335b4b12540191

SHA256
abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717

SHA512
b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
2d5d0cefc576aa916383504e1baba102

SHA1
97cae77569916e6922d9cf585f335b4b12540191

SHA256
abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717

SHA512
b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350

Download Submit
memory/792-56-0x0000000000000000-mapping.dmp

Download
memory/904-69-0x0000000000000000-mapping.dmp

Download
memory/912-68-0x0000000000000000-mapping.dmp

Download
memory/1164-58-0x0000000000000000-mapping.dmp

Download
memory/1168-63-0x0000000000000000-mapping.dmp

Download
memory/1168-72-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1388-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1388-59-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1388-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2012-66-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/2012-67-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download
memory/2012-70-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/2012-71-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads