General

  • Target

    07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710

  • Size

    212KB

  • Sample

    230405-bnwwwaba87

  • MD5

    2318575bbff6e228b9453eeb841ba952

  • SHA1

    191e925300fe778355c91c14f6e95631cf94b831

  • SHA256

    07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710

  • SHA512

    8cb12fec7144cb2cad287dd34f82d92d853fb03ea2f82d795923a1c92dcf8361366f5bdfe5d7628b7cce3f5fc4aef8a185b569368aad08e4dc776667423a3b30

  • SSDEEP

    1536:XcQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pLz30rtr8gjXjp0danBj:r29DkEGRQixVSjLc330BYgjXjpDnBj

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710

    • Size

      212KB

    • MD5

      2318575bbff6e228b9453eeb841ba952

    • SHA1

      191e925300fe778355c91c14f6e95631cf94b831

    • SHA256

      07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710

    • SHA512

      8cb12fec7144cb2cad287dd34f82d92d853fb03ea2f82d795923a1c92dcf8361366f5bdfe5d7628b7cce3f5fc4aef8a185b569368aad08e4dc776667423a3b30

    • SSDEEP

      1536:XcQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pLz30rtr8gjXjp0danBj:r29DkEGRQixVSjLc330BYgjXjpDnBj

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks