sakula | f1600f2961c2101189dd6666935d4e7c2af69aacce417b527e41584b53bc4225

General

Target

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe
Size

212KB
MD5

bccf42d805b13678fb0459ece5aa915f
SHA1

307c9a9e7440de03c051736a5977662d5546bcae
SHA256

f1600f2961c2101189dd6666935d4e7c2af69aacce417b527e41584b53bc4225
SHA512

25fa07e0c2c54b59d03a801e3fada1a61c73e813f52c1dced31d335ee1cffd78537859b55797c1a12ad225f4ea59eee96316af8315e1c170cf643d8b386435ba
SSDEEP

1536:VtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0ManB/:429DkEGRQixVSjLc130BYgjXjpWnB/

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/520-0-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/4148-4-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/520-6-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/4148-7-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/520-8-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4148 MediaCenter.exe

pid	process
4148	MediaCenter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/520-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/4148-4-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/520-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4148-7-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/520-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3792 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

description pid process

Token: SeIncBasePriorityPrivilege 520 bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

pid	process
3792	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	520	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.execmd.exe

description	pid	process	target process
PID 520 wrote to memory of 4148	520	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe	MediaCenter.exe
PID 520 wrote to memory of 4148	520	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe	MediaCenter.exe
PID 520 wrote to memory of 4148	520	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe	MediaCenter.exe
PID 520 wrote to memory of 1400	520	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe	cmd.exe
PID 520 wrote to memory of 1400	520	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe	cmd.exe
PID 520 wrote to memory of 1400	520	bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe	cmd.exe
PID 1400 wrote to memory of 3792	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 3792	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 3792	1400	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
484726c9046c6ed73a8244bea1e06c2e

SHA1
69b2ee9321097586334cfd5202baa4012aba95aa

SHA256
2f24710dfb232ac0cd111567494a3954929fbde868fab1db139fdc23c715949f

SHA512
280e41ec67496aa67904ce3e5b98dd564fb2e71920167fc8072c04b44b507112bffde6804934ba90ff336d7fc62cc16e26bab2e718954fcdfd112007839dc5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
484726c9046c6ed73a8244bea1e06c2e

SHA1
69b2ee9321097586334cfd5202baa4012aba95aa

SHA256
2f24710dfb232ac0cd111567494a3954929fbde868fab1db139fdc23c715949f

SHA512
280e41ec67496aa67904ce3e5b98dd564fb2e71920167fc8072c04b44b507112bffde6804934ba90ff336d7fc62cc16e26bab2e718954fcdfd112007839dc5f3

Download Submit
memory/520-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/520-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/520-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads