Malware Analysis Report

2024-12-07 22:09

Sample ID 221004-anje4sdfgm
Target ed9f64044aa25abc28fa4340eb9337e6.bin
SHA256 de1241f331f48e829e0a632c29c59f63662d180afb8e88bc42bdf959e4333b1d
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de1241f331f48e829e0a632c29c59f63662d180afb8e88bc42bdf959e4333b1d

Threat Level: Known bad

The file ed9f64044aa25abc28fa4340eb9337e6.bin was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Sakula family

Sakula payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-04 00:21

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-04 00:21

Reported

2022-10-04 00:24

Platform

win7-20220812-en

Max time kernel

101s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 836 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 836 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 836 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 836 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 836 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 836 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 836 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1568 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1568 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1568 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe

"C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp

Files

memory/836-54-0x0000000076401000-0x0000000076403000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 c3dffc8c982b7af1b8e58c1f57dce052
SHA1 6d553e29b17c705e75e2b95f6216806fd9520a5f
SHA256 a5d25002ba7d08323ce4ede59de27c45edf7f0284b70f51f1128972cb6266e2c
SHA512 96ad8212baa95beb24cd440956a3b305db54a7079059fb6021397f8616b113fe7e9ba6197a10f59f71654b253cd85ec70e27961e092f713596827aa38ff87344

memory/912-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 c3dffc8c982b7af1b8e58c1f57dce052
SHA1 6d553e29b17c705e75e2b95f6216806fd9520a5f
SHA256 a5d25002ba7d08323ce4ede59de27c45edf7f0284b70f51f1128972cb6266e2c
SHA512 96ad8212baa95beb24cd440956a3b305db54a7079059fb6021397f8616b113fe7e9ba6197a10f59f71654b253cd85ec70e27961e092f713596827aa38ff87344

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 c3dffc8c982b7af1b8e58c1f57dce052
SHA1 6d553e29b17c705e75e2b95f6216806fd9520a5f
SHA256 a5d25002ba7d08323ce4ede59de27c45edf7f0284b70f51f1128972cb6266e2c
SHA512 96ad8212baa95beb24cd440956a3b305db54a7079059fb6021397f8616b113fe7e9ba6197a10f59f71654b253cd85ec70e27961e092f713596827aa38ff87344

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 c3dffc8c982b7af1b8e58c1f57dce052
SHA1 6d553e29b17c705e75e2b95f6216806fd9520a5f
SHA256 a5d25002ba7d08323ce4ede59de27c45edf7f0284b70f51f1128972cb6266e2c
SHA512 96ad8212baa95beb24cd440956a3b305db54a7079059fb6021397f8616b113fe7e9ba6197a10f59f71654b253cd85ec70e27961e092f713596827aa38ff87344

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 c3dffc8c982b7af1b8e58c1f57dce052
SHA1 6d553e29b17c705e75e2b95f6216806fd9520a5f
SHA256 a5d25002ba7d08323ce4ede59de27c45edf7f0284b70f51f1128972cb6266e2c
SHA512 96ad8212baa95beb24cd440956a3b305db54a7079059fb6021397f8616b113fe7e9ba6197a10f59f71654b253cd85ec70e27961e092f713596827aa38ff87344

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 c3dffc8c982b7af1b8e58c1f57dce052
SHA1 6d553e29b17c705e75e2b95f6216806fd9520a5f
SHA256 a5d25002ba7d08323ce4ede59de27c45edf7f0284b70f51f1128972cb6266e2c
SHA512 96ad8212baa95beb24cd440956a3b305db54a7079059fb6021397f8616b113fe7e9ba6197a10f59f71654b253cd85ec70e27961e092f713596827aa38ff87344

memory/1568-63-0x0000000000000000-mapping.dmp

memory/1480-64-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-04 00:21

Reported

2022-10-04 00:24

Platform

win10v2004-20220812-en

Max time kernel

120s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe

"C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
BE 35.205.61.67:80 www.savmpet.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 20.189.173.4:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
BE 35.205.61.67:80 www.savmpet.com tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp

Files

memory/1164-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 4386b50958d08b1079126e33301deaa1
SHA1 379b306a869b3ef304de0e89ed3f8d3aa86be0ff
SHA256 857853346db45d003091675ca9bbabf60cbff02161b21d6a23d1f4cf89be8988
SHA512 87d6b54396759d86403bf4e42d48bef5486bd78901419a2d9189442cd0f960fef2949fe1be65e806d979d520633ef5dc4a57aeeb4238562f6315a9056fc6cee4

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 4386b50958d08b1079126e33301deaa1
SHA1 379b306a869b3ef304de0e89ed3f8d3aa86be0ff
SHA256 857853346db45d003091675ca9bbabf60cbff02161b21d6a23d1f4cf89be8988
SHA512 87d6b54396759d86403bf4e42d48bef5486bd78901419a2d9189442cd0f960fef2949fe1be65e806d979d520633ef5dc4a57aeeb4238562f6315a9056fc6cee4

memory/3384-135-0x0000000000000000-mapping.dmp

memory/2680-136-0x0000000000000000-mapping.dmp