General

  • Target

    c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4

  • Size

    60KB

  • Sample

    221018-csmdnsecfn

  • MD5

    cfb618ea09382a4e7a68c3dd6a4732b3

  • SHA1

    9156cb63276c50d24fa11f4dc6c2c65c01db2bb9

  • SHA256

    c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4

  • SHA512

    ff373843fe5d698316076cde9a087216ac62aefda35408a998ee407e0d9813d6a8b2025788cdfe6e3e7d3dc07a433afe7e8eb6140c0923292d3aaaa30f303f5e

  • SSDEEP

    1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/X:iEoIlwIguEA4c5DgA9DOyq0eFP

Malware Config

Targets

    • Target

      c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4

    • Size

      60KB

    • MD5

      cfb618ea09382a4e7a68c3dd6a4732b3

    • SHA1

      9156cb63276c50d24fa11f4dc6c2c65c01db2bb9

    • SHA256

      c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4

    • SHA512

      ff373843fe5d698316076cde9a087216ac62aefda35408a998ee407e0d9813d6a8b2025788cdfe6e3e7d3dc07a433afe7e8eb6140c0923292d3aaaa30f303f5e

    • SSDEEP

      1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/X:iEoIlwIguEA4c5DgA9DOyq0eFP

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks