sakula | ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244

General

Target

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
Size

101KB
MD5

9136918998cd24a1549e0b9ee1500024
SHA1

69e7a0f7026355e2279e7619a3d2dc375bcaceb2
SHA256

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244
SHA512

895314a3a3d822e4c938b6a1db0f3dcccab3fa5325b43b4b95f892b0b421ca7df8a3afbedf987e631eb3148bdca5d114c357a7bd560463037b3ffedbcd62368e
SSDEEP

1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrGPTEzl:/bfVk29te2jqxCEtg30BibEp

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

2584 AdobeUpdate.exe

pid	process
2584	AdobeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4452 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

description pid process

Token: SeIncBasePriorityPrivilege 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

pid	process
4452	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4804	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.execmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 2584	4804	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 4804 wrote to memory of 2584	4804	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 4804 wrote to memory of 2584	4804	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	AdobeUpdate.exe
PID 4804 wrote to memory of 4788	4804	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	cmd.exe
PID 4804 wrote to memory of 4788	4804	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	cmd.exe
PID 4804 wrote to memory of 4788	4804	ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe	cmd.exe
PID 4788 wrote to memory of 4452	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 4452	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 4452	4788	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
"C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
f53f73bde73aa509e0c9875283a1774d

SHA1
ab40fc6498982cad152135deadcfb9a6cf0c506f

SHA256
3a591ad13fba6d937394119228c5fb9c410962099f5c81edfd744c2530b45f30

SHA512
556386336eb501c9bc801e70b2ac3accfd172a15c9006af1fdee1c3543fffd64e653fd7cfc7b5b3608adc404775eaa644bee578b1c47111adddabfc9bfe6351a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
f53f73bde73aa509e0c9875283a1774d

SHA1
ab40fc6498982cad152135deadcfb9a6cf0c506f

SHA256
3a591ad13fba6d937394119228c5fb9c410962099f5c81edfd744c2530b45f30

SHA512
556386336eb501c9bc801e70b2ac3accfd172a15c9006af1fdee1c3543fffd64e653fd7cfc7b5b3608adc404775eaa644bee578b1c47111adddabfc9bfe6351a

Download Submit
memory/2584-132-0x0000000000000000-mapping.dmp

Download
memory/4452-136-0x0000000000000000-mapping.dmp

Download
memory/4788-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads