sakula | 6cb97cb356491c601fe9b104bdeeb12351741ab13c77ce335bbb5c4981d13323

General

Target

b94c34b47ff7bb61ad8b70f18de510c7.exe
Size

43KB
MD5

b94c34b47ff7bb61ad8b70f18de510c7
SHA1

152ba262535deb241a9dbdc004c69a1564ff7803
SHA256

6cb97cb356491c601fe9b104bdeeb12351741ab13c77ce335bbb5c4981d13323
SHA512

ebfe6ce357802b8a158046144fea2532fceaa0188aceba1be49af365bd93f17ba6a07a7f8ba766a15f9d817832b815d9724509a8cdc67fe9085bb5d31f544dcc
SSDEEP

384:MnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYwwsRhg7+iXXRodY6kLdAeMs:1hSksandb4GgyMsp4hyYtoVxYdT7ZXqE

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

812 MediaCenter.exe

pid	process
812	MediaCenter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1928-55-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/1928-56-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/812-70-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1136 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1316 cmd.exe
1316 cmd.exe

pid	process
1136	cmd.exe

pid	process
1316	cmd.exe
1316	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1148 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2028 PING.EXE

pid	process
1148	reg.exe

pid	process
2028	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

b94c34b47ff7bb61ad8b70f18de510c7.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 1172	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1172	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1172	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1172	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1316	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1316	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1316	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1316	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1136	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1136	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1136	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1928 wrote to memory of 1136	1928	b94c34b47ff7bb61ad8b70f18de510c7.exe	cmd.exe
PID 1316 wrote to memory of 812	1316	cmd.exe	MediaCenter.exe
PID 1316 wrote to memory of 812	1316	cmd.exe	MediaCenter.exe
PID 1316 wrote to memory of 812	1316	cmd.exe	MediaCenter.exe
PID 1316 wrote to memory of 812	1316	cmd.exe	MediaCenter.exe
PID 1136 wrote to memory of 2028	1136	cmd.exe	PING.EXE
PID 1136 wrote to memory of 2028	1136	cmd.exe	PING.EXE
PID 1136 wrote to memory of 2028	1136	cmd.exe	PING.EXE
PID 1136 wrote to memory of 2028	1136	cmd.exe	PING.EXE
PID 1172 wrote to memory of 1148	1172	cmd.exe	reg.exe
PID 1172 wrote to memory of 1148	1172	cmd.exe	reg.exe
PID 1172 wrote to memory of 1148	1172	cmd.exe	reg.exe
PID 1172 wrote to memory of 1148	1172	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe
"C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
b1e367b777f6882bae549f5ea05808bd

SHA1
189a8b701613fc666aeac735f9aae2f90e349557

SHA256
923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935

SHA512
8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
b1e367b777f6882bae549f5ea05808bd

SHA1
189a8b701613fc666aeac735f9aae2f90e349557

SHA256
923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935

SHA512
8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
b1e367b777f6882bae549f5ea05808bd

SHA1
189a8b701613fc666aeac735f9aae2f90e349557

SHA256
923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935

SHA512
8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
b1e367b777f6882bae549f5ea05808bd

SHA1
189a8b701613fc666aeac735f9aae2f90e349557

SHA256
923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935

SHA512
8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

Download Submit
memory/812-70-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/812-63-0x0000000000000000-mapping.dmp

Download
memory/1136-59-0x0000000000000000-mapping.dmp

Download
memory/1148-67-0x0000000000000000-mapping.dmp

Download
memory/1172-57-0x0000000000000000-mapping.dmp

Download
memory/1316-58-0x0000000000000000-mapping.dmp

Download
memory/1316-68-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/1316-69-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/1316-71-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/1316-72-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/1928-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2028-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads