General

  • Target

    fc1110d0a4cf3b4a2e3feb2e4b4f093e_JC.exe

  • Size

    212KB

  • Sample

    230925-vw981sag37

  • MD5

    fc1110d0a4cf3b4a2e3feb2e4b4f093e

  • SHA1

    726d7759fbf3115209355295d813ce63087dc6bf

  • SHA256

    10f6ffb1c7bef3e282db61530942357daaa5ec0b5191da5abd7e5351ae05508e

  • SHA512

    29cd6b4c1df8345f450bd507b78280dc89f256777b4f80a9ebfdd5a39a2aa64ee245a834eb12a8f5d37a4309529c27940bbab97bef740095c502bda1411b145a

  • SSDEEP

    1536:otQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp00anBC:729DkEGRQixVSjLc130BYgjXjpmnBC

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      fc1110d0a4cf3b4a2e3feb2e4b4f093e_JC.exe

    • Size

      212KB

    • MD5

      fc1110d0a4cf3b4a2e3feb2e4b4f093e

    • SHA1

      726d7759fbf3115209355295d813ce63087dc6bf

    • SHA256

      10f6ffb1c7bef3e282db61530942357daaa5ec0b5191da5abd7e5351ae05508e

    • SHA512

      29cd6b4c1df8345f450bd507b78280dc89f256777b4f80a9ebfdd5a39a2aa64ee245a834eb12a8f5d37a4309529c27940bbab97bef740095c502bda1411b145a

    • SSDEEP

      1536:otQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp00anBC:729DkEGRQixVSjLc130BYgjXjpmnBC

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks