Malware Analysis Report

2024-12-07 22:10

Sample ID 221010-c3scnsach5
Target 3cae1b420842e5bc4098dffac0dd44fa
SHA256 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11

Threat Level: Known bad

The file 3cae1b420842e5bc4098dffac0dd44fa was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula

Sakula payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-10 02:36

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-10 02:36

Reported

2022-10-10 02:39

Platform

win10v2004-20220812-en

Max time kernel

131s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe

"C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 67.27.154.126:80 tcp
US 67.27.154.126:80 tcp
US 20.189.173.15:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 67.27.154.126:80 tcp
US 67.27.154.126:80 tcp
US 67.27.154.126:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2a64a6d6a74484ac0436352c048e9463
SHA1 a73d9a28a993c892c5d70004133f8bb24b783942
SHA256 bdd61c172eecd899a11ef6638f565789bdb95528d23dda88fd7480f926b5a029
SHA512 64354321bb87a83f9d8dda47e4967c0c9d249d447b7c97c311726905940a931e2ddd8b890edf966d3504cf893855da7bb815a3d50e7a97681e4a7bd5c33520a8

memory/4968-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2a64a6d6a74484ac0436352c048e9463
SHA1 a73d9a28a993c892c5d70004133f8bb24b783942
SHA256 bdd61c172eecd899a11ef6638f565789bdb95528d23dda88fd7480f926b5a029
SHA512 64354321bb87a83f9d8dda47e4967c0c9d249d447b7c97c311726905940a931e2ddd8b890edf966d3504cf893855da7bb815a3d50e7a97681e4a7bd5c33520a8

memory/3416-135-0x0000000000000000-mapping.dmp

memory/3724-136-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-10 02:36

Reported

2022-10-10 02:39

Platform

win7-20220812-en

Max time kernel

121s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1096 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1096 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1096 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1096 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1696 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1696 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1696 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe

"C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1096-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0f428350ee7737de4590ecb1c1695de9
SHA1 a4c67d71f2f71228289652fc3864d6ac2aababc5
SHA256 271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1
SHA512 a5224473cf4513545ea60c7dbb1c4ce2ecaa6632cd7f490bf3d1025715c26db2ba10458a6a6666a07ec9b13f74c275a7dab6c012023bd950b295dba2be798838

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0f428350ee7737de4590ecb1c1695de9
SHA1 a4c67d71f2f71228289652fc3864d6ac2aababc5
SHA256 271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1
SHA512 a5224473cf4513545ea60c7dbb1c4ce2ecaa6632cd7f490bf3d1025715c26db2ba10458a6a6666a07ec9b13f74c275a7dab6c012023bd950b295dba2be798838

memory/1628-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0f428350ee7737de4590ecb1c1695de9
SHA1 a4c67d71f2f71228289652fc3864d6ac2aababc5
SHA256 271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1
SHA512 a5224473cf4513545ea60c7dbb1c4ce2ecaa6632cd7f490bf3d1025715c26db2ba10458a6a6666a07ec9b13f74c275a7dab6c012023bd950b295dba2be798838

memory/1696-60-0x0000000000000000-mapping.dmp

memory/292-61-0x0000000000000000-mapping.dmp