General

  • Target

    easy_Malicious_1941f839ec28e90940c0e950f60c0c9b254bf30ed30b2f9d83a644239c01f96c.exe

  • Size

    109KB

  • Sample

    230704-stc5dseg27

  • MD5

    9e01a52b56d80a49feac8a7849539069

  • SHA1

    868857c5ec1600956cc955e65cad9dc1c1555f1e

  • SHA256

    8df10a1c1f6072515a6155734ca71184e71deea8988e614d5135997fa54ea5ee

  • SHA512

    9297319fc893a570c29eb92a27a7b3d9abad7a32ba25edb866971e39991993ad904f6210763ec25881f12c65d68e2d92206daccbb2fc3c46f0e7e436d916f1a0

  • SSDEEP

    3072:529DkEGRxixVSjLXt+rl30BXqqqqLkCakCW:529qRsVSndg30BXqqqqPCW

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      easy_Malicious_1941f839ec28e90940c0e950f60c0c9b254bf30ed30b2f9d83a644239c01f96c.exe

    • Size

      109KB

    • MD5

      9e01a52b56d80a49feac8a7849539069

    • SHA1

      868857c5ec1600956cc955e65cad9dc1c1555f1e

    • SHA256

      8df10a1c1f6072515a6155734ca71184e71deea8988e614d5135997fa54ea5ee

    • SHA512

      9297319fc893a570c29eb92a27a7b3d9abad7a32ba25edb866971e39991993ad904f6210763ec25881f12c65d68e2d92206daccbb2fc3c46f0e7e436d916f1a0

    • SSDEEP

      3072:529DkEGRxixVSjLXt+rl30BXqqqqLkCakCW:529qRsVSndg30BXqqqqPCW

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks