Malware Analysis Report

2024-12-07 22:09

Sample ID 221018-a1aczaeafp
Target 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672
SHA256 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672

Threat Level: Known bad

The file 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula payload

Sakula

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-18 00:40

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-18 00:40

Reported

2022-10-18 00:42

Platform

win7-20220812-en

Max time kernel

131s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1408 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1408 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1408 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1408 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1772 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1772 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1772 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

"C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2df33638bf15a52dfbf851286d987128
SHA1 eb2d49a70b751a2ed6382a021431224911e1252b
SHA256 abd13f8e2c10bc7127d98d513e0578b74c2cd02137ba48f777552e1b101a7990
SHA512 8660685112cd7743d59dd3c42dc588d7b9f1fe0fc42ae7156de8b7212f1e596f04f107b57a10a07281de4757c6a96a0fbd2df1329ff74f624ea9dc8fa6b48f7f

memory/1372-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2df33638bf15a52dfbf851286d987128
SHA1 eb2d49a70b751a2ed6382a021431224911e1252b
SHA256 abd13f8e2c10bc7127d98d513e0578b74c2cd02137ba48f777552e1b101a7990
SHA512 8660685112cd7743d59dd3c42dc588d7b9f1fe0fc42ae7156de8b7212f1e596f04f107b57a10a07281de4757c6a96a0fbd2df1329ff74f624ea9dc8fa6b48f7f

memory/1772-59-0x0000000000000000-mapping.dmp

memory/1620-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-18 00:40

Reported

2022-10-18 00:42

Platform

win10v2004-20220901-en

Max time kernel

138s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

"C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 93.184.221.240:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 20.189.173.1:443 tcp
US 204.11.56.48:80 www.polarroute.com tcp
NL 87.248.202.1:80 tcp
US 93.184.221.240:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/2152-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8842ab35638ada36bf69c7181b58b813
SHA1 c0f01ae02b7ca777426445bb0be23caf75ac5f7f
SHA256 d6b7b06e91405fbae7c24470e3ee2a81ba9e04e28ac67ddcf0435ee06c0949dc
SHA512 4def9b6c8c82e161e950dced76534ee82850765575d2d1057680d244d1db6137d832953805d062baebed6c8b0803501718267bdcb4369fc09f6e4277495569e6

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8842ab35638ada36bf69c7181b58b813
SHA1 c0f01ae02b7ca777426445bb0be23caf75ac5f7f
SHA256 d6b7b06e91405fbae7c24470e3ee2a81ba9e04e28ac67ddcf0435ee06c0949dc
SHA512 4def9b6c8c82e161e950dced76534ee82850765575d2d1057680d244d1db6137d832953805d062baebed6c8b0803501718267bdcb4369fc09f6e4277495569e6

memory/1960-135-0x0000000000000000-mapping.dmp

memory/2432-136-0x0000000000000000-mapping.dmp