sakula | 1b5cce8b8a38d3caef308cb2200f7a3c5439f47936e63e0a9683e5c80f44116b

General

Target

6c2a5e3bda43426781fbb5693fdf2a96.exe
Size

43KB
MD5

6c2a5e3bda43426781fbb5693fdf2a96
SHA1

32f70a92f99232b52e1f9683d2788c7c90ed5df0
SHA256

1b5cce8b8a38d3caef308cb2200f7a3c5439f47936e63e0a9683e5c80f44116b
SHA512

416964a6224ad459b8875f45eb19f4750da1cfd63cac2412c36c1918898a9d66a9750453bf2964f4ccbd311e804864f7fe97ed8d3f3ff80e7ce430d7a6953c4d
SSDEEP

384:MnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYwwsRhg7+iXXRodY6kLdAeMB:1hSksandb4GgyMsp4hyYtoVxYdT7ZXqJ

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3736 MediaCenter.exe

pid	process
3736	MediaCenter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4436-132-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4436-133-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4436-137-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/3736-143-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3736-144-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3832 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3756 PING.EXE

pid	process
3832	reg.exe

pid	process
3756	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6c2a5e3bda43426781fbb5693fdf2a96.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4436 wrote to memory of 3820	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 3820	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 3820	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 4820	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 4820	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 4820	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 4888	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 4888	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 4436 wrote to memory of 4888	4436	6c2a5e3bda43426781fbb5693fdf2a96.exe	cmd.exe
PID 3820 wrote to memory of 3832	3820	cmd.exe	reg.exe
PID 3820 wrote to memory of 3832	3820	cmd.exe	reg.exe
PID 3820 wrote to memory of 3832	3820	cmd.exe	reg.exe
PID 4888 wrote to memory of 3756	4888	cmd.exe	PING.EXE
PID 4888 wrote to memory of 3756	4888	cmd.exe	PING.EXE
PID 4888 wrote to memory of 3756	4888	cmd.exe	PING.EXE
PID 4820 wrote to memory of 3736	4820	cmd.exe	MediaCenter.exe
PID 4820 wrote to memory of 3736	4820	cmd.exe	MediaCenter.exe
PID 4820 wrote to memory of 3736	4820	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe
"C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
d63f2fb5bf9e17b1e90e5a0ab7a70c35

SHA1
3b492f68875936a2f5a6a92403b80881f272b232

SHA256
edaf0a4d4f71d633b53d6bd6f5091ad6a7a88258c650772033b3832cea368e93

SHA512
fb37e0b2167352d1f7679797228c6402e8b254184c7d6a2c2e277b33a4cac2fc5fe39bfc72d52c1e3f4ec574f528f810f7b876785575ff61398d1f679cbd8263

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
d63f2fb5bf9e17b1e90e5a0ab7a70c35

SHA1
3b492f68875936a2f5a6a92403b80881f272b232

SHA256
edaf0a4d4f71d633b53d6bd6f5091ad6a7a88258c650772033b3832cea368e93

SHA512
fb37e0b2167352d1f7679797228c6402e8b254184c7d6a2c2e277b33a4cac2fc5fe39bfc72d52c1e3f4ec574f528f810f7b876785575ff61398d1f679cbd8263

Download Submit
memory/3736-140-0x0000000000000000-mapping.dmp

Download
memory/3736-144-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3736-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3756-139-0x0000000000000000-mapping.dmp

Download
memory/3820-134-0x0000000000000000-mapping.dmp

Download
memory/3832-138-0x0000000000000000-mapping.dmp

Download
memory/4436-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4436-137-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4436-133-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4820-135-0x0000000000000000-mapping.dmp

Download
memory/4888-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads