Malware Analysis Report

2024-12-07 22:10

Sample ID 221013-b4w7ksaeh6
Target ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244
SHA256 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244

Threat Level: Known bad

The file ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula

Sakula payload

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-13 01:42

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-13 01:42

Reported

2022-10-13 01:47

Platform

win7-20220812-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 896 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 896 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 896 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 896 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 896 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 896 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1188 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1188 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1188 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

"C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp
NL 142.250.179.194:443 tcp
NL 142.250.179.194:443 tcp
NL 216.58.208.100:443 tcp
BE 35.205.61.67:80 www.savmpet.com tcp
US 104.200.22.130:80 tcp

Files

memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 02d3f1b630a038d8c2d4880b28e63da2
SHA1 cf16aa75fa7bcece1ba2788a259530c376af4d62
SHA256 c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748
SHA512 9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

memory/872-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 02d3f1b630a038d8c2d4880b28e63da2
SHA1 cf16aa75fa7bcece1ba2788a259530c376af4d62
SHA256 c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748
SHA512 9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 02d3f1b630a038d8c2d4880b28e63da2
SHA1 cf16aa75fa7bcece1ba2788a259530c376af4d62
SHA256 c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748
SHA512 9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 02d3f1b630a038d8c2d4880b28e63da2
SHA1 cf16aa75fa7bcece1ba2788a259530c376af4d62
SHA256 c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748
SHA512 9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 02d3f1b630a038d8c2d4880b28e63da2
SHA1 cf16aa75fa7bcece1ba2788a259530c376af4d62
SHA256 c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748
SHA512 9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 02d3f1b630a038d8c2d4880b28e63da2
SHA1 cf16aa75fa7bcece1ba2788a259530c376af4d62
SHA256 c5bd2cdafffc937793d952e46494fac8777979f1f4df0a20a134e3dcc80d3748
SHA512 9625fd6394aaeec81bcbecec6ccf1062d32077515f0d7ff57a7e52b6ede8a83212901378995968787d697e6345f6eb1346d1c8b7db8cc790a81d776f033ca728

memory/1188-63-0x0000000000000000-mapping.dmp

memory/1180-64-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-13 01:42

Reported

2022-10-13 01:46

Platform

win10v2004-20220901-en

Max time kernel

112s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe

"C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
DE 116.202.186.42:80 tcp
US 45.136.151.102:80 tcp
US 45.136.151.102:80 tcp
US 198.135.55.114:80 tcp
US 198.135.55.114:80 tcp
US 8.8.8.8:53 www.savmpet.com udp
BE 35.205.61.67:80 www.savmpet.com tcp
NL 104.80.229.204:443 tcp
BE 35.205.61.67:80 www.savmpet.com tcp
GB 51.104.15.252:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
BE 67.24.33.254:80 tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp

Files

memory/2584-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 f53f73bde73aa509e0c9875283a1774d
SHA1 ab40fc6498982cad152135deadcfb9a6cf0c506f
SHA256 3a591ad13fba6d937394119228c5fb9c410962099f5c81edfd744c2530b45f30
SHA512 556386336eb501c9bc801e70b2ac3accfd172a15c9006af1fdee1c3543fffd64e653fd7cfc7b5b3608adc404775eaa644bee578b1c47111adddabfc9bfe6351a

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 f53f73bde73aa509e0c9875283a1774d
SHA1 ab40fc6498982cad152135deadcfb9a6cf0c506f
SHA256 3a591ad13fba6d937394119228c5fb9c410962099f5c81edfd744c2530b45f30
SHA512 556386336eb501c9bc801e70b2ac3accfd172a15c9006af1fdee1c3543fffd64e653fd7cfc7b5b3608adc404775eaa644bee578b1c47111adddabfc9bfe6351a

memory/4788-135-0x0000000000000000-mapping.dmp

memory/4452-136-0x0000000000000000-mapping.dmp