sakula | 8d6b2e4295354b5069d4d021f29fc110e9ea6d788162bcd53234f08e65c44795

General

Target

c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe
Size

332KB
MD5

c7e0d171f1a3f77fd83cf2898cdbdcd8
SHA1

5606572d9fc5af80a574beea1d3881aa82cd3dd3
SHA256

8d6b2e4295354b5069d4d021f29fc110e9ea6d788162bcd53234f08e65c44795
SHA512

8405ea0ecc8389280a9a4b34fe44abf6e8e42a479b9c88edb686e0f1a90462df045c77324a26374869e0fb064788db525b567c5a16f75ff1cf8cdf2de9e8e5ab
SSDEEP

6144:Nj9c2WYd30BKmiPVpU3ypIPr3D3StNynyS/t:NSI2H5

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

www.savmpet.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2732 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

2068 AdobeUpdate.exe
Loads dropped DLL 4 IoCs

Processes:

c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exeAdobeUpdate.exe

pid process

924 c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe
2068 AdobeUpdate.exe
2068 AdobeUpdate.exe
2068 AdobeUpdate.exe

pid	process
2732	cmd.exe

pid	process
2068	AdobeUpdate.exe

pid	process
924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe
2068	AdobeUpdate.exe
2068	AdobeUpdate.exe
2068	AdobeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2632 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe

description pid process

Token: SeIncBasePriorityPrivilege 924 c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe

pid	process
2632	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.execmd.exe

description	pid	process	target process
PID 924 wrote to memory of 2068	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	AdobeUpdate.exe
PID 924 wrote to memory of 2068	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	AdobeUpdate.exe
PID 924 wrote to memory of 2068	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	AdobeUpdate.exe
PID 924 wrote to memory of 2068	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	AdobeUpdate.exe
PID 924 wrote to memory of 2068	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	AdobeUpdate.exe
PID 924 wrote to memory of 2068	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	AdobeUpdate.exe
PID 924 wrote to memory of 2068	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	AdobeUpdate.exe
PID 924 wrote to memory of 2732	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	cmd.exe
PID 924 wrote to memory of 2732	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	cmd.exe
PID 924 wrote to memory of 2732	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	cmd.exe
PID 924 wrote to memory of 2732	924	c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe	cmd.exe
PID 2732 wrote to memory of 2632	2732	cmd.exe	PING.EXE
PID 2732 wrote to memory of 2632	2732	cmd.exe	PING.EXE
PID 2732 wrote to memory of 2632	2732	cmd.exe	PING.EXE
PID 2732 wrote to memory of 2632	2732	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068

C:\Users\Admin\AppData\Local\Temp\c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c7e0d171f1a3f77fd83cf2898cdbdcd8_JC.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
332KB

MD5
5c83cef24d20e8ec690f2cef521b11e9

SHA1
4dcbe18fa788294b09fedef09a541d956ffe273e

SHA256
159b5a644217e691796b52d2da91b238481c98329a97972fb8ddaef7ab7b6001

SHA512
7e5734d2698c12b16d88b5ff68193f3868345a247a6370fa6394b2b5060ee21d7effe95ec96a2740f619b0d66a603efb5ae8a5d8db0410ec4c8f9d2a0d6cd3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
332KB

MD5
5c83cef24d20e8ec690f2cef521b11e9

SHA1
4dcbe18fa788294b09fedef09a541d956ffe273e

SHA256
159b5a644217e691796b52d2da91b238481c98329a97972fb8ddaef7ab7b6001

SHA512
7e5734d2698c12b16d88b5ff68193f3868345a247a6370fa6394b2b5060ee21d7effe95ec96a2740f619b0d66a603efb5ae8a5d8db0410ec4c8f9d2a0d6cd3d3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
332KB

MD5
5c83cef24d20e8ec690f2cef521b11e9

SHA1
4dcbe18fa788294b09fedef09a541d956ffe273e

SHA256
159b5a644217e691796b52d2da91b238481c98329a97972fb8ddaef7ab7b6001

SHA512
7e5734d2698c12b16d88b5ff68193f3868345a247a6370fa6394b2b5060ee21d7effe95ec96a2740f619b0d66a603efb5ae8a5d8db0410ec4c8f9d2a0d6cd3d3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
332KB

MD5
5c83cef24d20e8ec690f2cef521b11e9

SHA1
4dcbe18fa788294b09fedef09a541d956ffe273e

SHA256
159b5a644217e691796b52d2da91b238481c98329a97972fb8ddaef7ab7b6001

SHA512
7e5734d2698c12b16d88b5ff68193f3868345a247a6370fa6394b2b5060ee21d7effe95ec96a2740f619b0d66a603efb5ae8a5d8db0410ec4c8f9d2a0d6cd3d3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
332KB

MD5
5c83cef24d20e8ec690f2cef521b11e9

SHA1
4dcbe18fa788294b09fedef09a541d956ffe273e

SHA256
159b5a644217e691796b52d2da91b238481c98329a97972fb8ddaef7ab7b6001

SHA512
7e5734d2698c12b16d88b5ff68193f3868345a247a6370fa6394b2b5060ee21d7effe95ec96a2740f619b0d66a603efb5ae8a5d8db0410ec4c8f9d2a0d6cd3d3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
332KB

MD5
5c83cef24d20e8ec690f2cef521b11e9

SHA1
4dcbe18fa788294b09fedef09a541d956ffe273e

SHA256
159b5a644217e691796b52d2da91b238481c98329a97972fb8ddaef7ab7b6001

SHA512
7e5734d2698c12b16d88b5ff68193f3868345a247a6370fa6394b2b5060ee21d7effe95ec96a2740f619b0d66a603efb5ae8a5d8db0410ec4c8f9d2a0d6cd3d3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads