sakula | ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244

General

Target

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
Size

101KB
MD5

9136918998cd24a1549e0b9ee1500024
SHA1

69e7a0f7026355e2279e7619a3d2dc375bcaceb2
SHA256

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244
SHA512

895314a3a3d822e4c938b6a1db0f3dcccab3fa5325b43b4b95f892b0b421ca7df8a3afbedf987e631eb3148bdca5d114c357a7bd560463037b3ffedbcd62368e
SSDEEP

1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrGPTEzl:/bfVk29te2jqxCEtg30BibEp

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

872 AdobeUpdate.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1188 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exeAdobeUpdate.exe

pid process

896 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
872 AdobeUpdate.exe
872 AdobeUpdate.exe
872 AdobeUpdate.exe

pid	process
872	AdobeUpdate.exe

pid	process
1188	cmd.exe

pid	process
896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
872	AdobeUpdate.exe
872	AdobeUpdate.exe
872	AdobeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1180 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

description pid process

Token: SeIncBasePriorityPrivilege 896 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

pid	process
1180	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.execmd.exe

description	pid	process	target process
PID 896 wrote to memory of 872	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 896 wrote to memory of 872	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 896 wrote to memory of 872	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 896 wrote to memory of 872	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 896 wrote to memory of 872	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 896 wrote to memory of 872	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 896 wrote to memory of 872	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 896 wrote to memory of 1188	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	cmd.exe
PID 896 wrote to memory of 1188	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	cmd.exe
PID 896 wrote to memory of 1188	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	cmd.exe
PID 896 wrote to memory of 1188	896	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	cmd.exe
PID 1188 wrote to memory of 1180	1188	cmd.exe	PING.EXE
PID 1188 wrote to memory of 1180	1188	cmd.exe	PING.EXE
PID 1188 wrote to memory of 1180	1188	cmd.exe	PING.EXE
PID 1188 wrote to memory of 1180	1188	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
"C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
02d3f1b630a038d8c2d4880b28e63da2

SHA1
cf16aa75fa7bcece1ba2788a259530c376af4d62

SHA256
c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748

SHA512
9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
02d3f1b630a038d8c2d4880b28e63da2

SHA1
cf16aa75fa7bcece1ba2788a259530c376af4d62

SHA256
c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748

SHA512
9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
02d3f1b630a038d8c2d4880b28e63da2

SHA1
cf16aa75fa7bcece1ba2788a259530c376af4d62

SHA256
c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748

SHA512
9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
02d3f1b630a038d8c2d4880b28e63da2

SHA1
cf16aa75fa7bcece1ba2788a259530c376af4d62

SHA256
c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748

SHA512
9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
02d3f1b630a038d8c2d4880b28e63da2

SHA1
cf16aa75fa7bcece1ba2788a259530c376af4d62

SHA256
c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748

SHA512
9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
02d3f1b630a038d8c2d4880b28e63da2

SHA1
cf16aa75fa7bcece1ba2788a259530c376af4d62

SHA256
c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748

SHA512
9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

Download Submit
memory/872-56-0x0000000000000000-mapping.dmp

Download
memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1180-64-0x0000000000000000-mapping.dmp

Download
memory/1188-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads