General

  • Target

    f7c2ac9962c9ca70a8f9abeb7eff5a87_JC.exe

  • Size

    212KB

  • Sample

    230930-qja6yace6v

  • MD5

    f7c2ac9962c9ca70a8f9abeb7eff5a87

  • SHA1

    ff607cb7f520b2cf649c4ab45e78fc1a64eb5885

  • SHA256

    fa7b5dbf09197f793355e0ebf954291cf05b859ef05971fca8381ced2f280472

  • SHA512

    59a77ee41aeda8c1d7c12600d51543be04d3c22e4d6df9ad4a02fe8d7913def02a1c8de6d90c5e8ea9375313e9ee1384670f4f37a81e93f9b853a99bc1e5d5c1

  • SSDEEP

    1536:RtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0QanBD:k29DkEGRQixVSjLc130BYgjXjpKnBD

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      f7c2ac9962c9ca70a8f9abeb7eff5a87_JC.exe

    • Size

      212KB

    • MD5

      f7c2ac9962c9ca70a8f9abeb7eff5a87

    • SHA1

      ff607cb7f520b2cf649c4ab45e78fc1a64eb5885

    • SHA256

      fa7b5dbf09197f793355e0ebf954291cf05b859ef05971fca8381ced2f280472

    • SHA512

      59a77ee41aeda8c1d7c12600d51543be04d3c22e4d6df9ad4a02fe8d7913def02a1c8de6d90c5e8ea9375313e9ee1384670f4f37a81e93f9b853a99bc1e5d5c1

    • SSDEEP

      1536:RtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0QanBD:k29DkEGRQixVSjLc130BYgjXjpKnBD

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks