sakula | 5be17637b3e3a792a734fe6509d3c40a56218780c66f7f211ce5adfcd0921e56

General

Target

18a92d2c3353b7e1de84834655a00987_JC.exe
Size

42KB
MD5

18a92d2c3353b7e1de84834655a00987
SHA1

961fca877600937d0cb74a1f191a4b9a94554345
SHA256

5be17637b3e3a792a734fe6509d3c40a56218780c66f7f211ce5adfcd0921e56
SHA512

3ad963c8b05e3343fb7ed8039610720c332bfc400f36952a4831b82debdc7e0da606cebb6452bddded5afcf1c9a6a255ae8bb9af7f40d64cab7e7a1fd28777e5
SSDEEP

768:fvQB/z0pqrLoyT8I+E1j+KPPIYu8T0aTsJK56VO8XM0Wns+b2znpNqPP:fODhc+yBJW0WTU5XM1nJqjp0X

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

resource	yara_rule
behavioral2/memory/1940-6-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/1684-7-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/1940-13-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/1684-27-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	18a92d2c3353b7e1de84834655a00987_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	MediaCenter.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1940-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0008000000023020-3.dat	upx
behavioral2/files/0x0008000000023020-5.dat	upx
behavioral2/memory/1684-4-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1940-6-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1684-7-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1940-13-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1684-27-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	18a92d2c3353b7e1de84834655a00987_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
976	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1940	18a92d2c3353b7e1de84834655a00987_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1684	1940	18a92d2c3353b7e1de84834655a00987_JC.exe	86
PID 1940 wrote to memory of 1684	1940	18a92d2c3353b7e1de84834655a00987_JC.exe	86
PID 1940 wrote to memory of 1684	1940	18a92d2c3353b7e1de84834655a00987_JC.exe	86
PID 1940 wrote to memory of 2004	1940	18a92d2c3353b7e1de84834655a00987_JC.exe	95
PID 1940 wrote to memory of 2004	1940	18a92d2c3353b7e1de84834655a00987_JC.exe	95
PID 1940 wrote to memory of 2004	1940	18a92d2c3353b7e1de84834655a00987_JC.exe	95
PID 2004 wrote to memory of 976	2004	cmd.exe	97
PID 2004 wrote to memory of 976	2004	cmd.exe	97
PID 2004 wrote to memory of 976	2004	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\18a92d2c3353b7e1de84834655a00987_JC.exe
"C:\Users\Admin\AppData\Local\Temp\18a92d2c3353b7e1de84834655a00987_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18a92d2c3353b7e1de84834655a00987_JC.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\qezikbgf1399203065[1].htm

Filesize
2KB

MD5
67b9c1e803a6405e9af96c49ff97b65d

SHA1
39115fe8768ee243da1777a22bc128e1e6f4c4fe

SHA256
bb1aefeac395f56710518e3fbe59b31056b12e5691bf7be2aab8dc48142d8105

SHA512
0941c2cd87fcf5a920c8046e5684236fbbad322d45122e4884a553cecb50ebf45da2fb8a2a890071b79e0c176e0723dfb95a420f2bd91ea4439c4e013f4ca69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
f968f631f99849fe3280482a4378edae

SHA1
cd06164cb2db919ff545303029a684d3f98dc8a3

SHA256
5aa23cf2faf1bc722494a0ac13600c785e27628dc6432f48bb0a4c88966a4376

SHA512
94b80dda99752f3b9f1588955586f309114236ef588de3e138985db1704c5a89f54eaabb9d8c0be0fdecc98504d81e266e9dafe45a0727ad88cfde1d381092a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
f968f631f99849fe3280482a4378edae

SHA1
cd06164cb2db919ff545303029a684d3f98dc8a3

SHA256
5aa23cf2faf1bc722494a0ac13600c785e27628dc6432f48bb0a4c88966a4376

SHA512
94b80dda99752f3b9f1588955586f309114236ef588de3e138985db1704c5a89f54eaabb9d8c0be0fdecc98504d81e266e9dafe45a0727ad88cfde1d381092a2

Download Submit
memory/1684-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1684-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1684-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads