sakula | 75dcbf5b364ce82e5a58d265a73b95f3613da09f421391a7b1576fa475fe36fb

General

Target

568292d2e4101ca0c263f906e97344a4_JC.exe
Size

79KB
MD5

568292d2e4101ca0c263f906e97344a4
SHA1

fe6f39e1defd2197b139a26b7c4fd9601aade0b3
SHA256

75dcbf5b364ce82e5a58d265a73b95f3613da09f421391a7b1576fa475fe36fb
SHA512

3c090d41dc887516bf212f8f9bf885f9d5970d8a467d71dbd1cb516ba4cf2e6a9dc7b169afb658b9ab2972dea0f9559e4dbb95bffdc7edf0967369f9e9f6dba9
SSDEEP

1536:MSoaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtro+:M90hpgz6xGhTjwHN30BE+

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000800000001210a-1.dat	family_sakula
behavioral1/files/0x000800000001210a-6.dat	family_sakula
behavioral1/files/0x000800000001210a-3.dat	family_sakula
behavioral1/files/0x000800000001210a-7.dat	family_sakula

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	MediaCenter.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	568292d2e4101ca0c263f906e97344a4_JC.exe
2972	568292d2e4101ca0c263f906e97344a4_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	568292d2e4101ca0c263f906e97344a4_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2872	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	568292d2e4101ca0c263f906e97344a4_JC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2160	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	28
PID 2972 wrote to memory of 2160	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	28
PID 2972 wrote to memory of 2160	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	28
PID 2972 wrote to memory of 2160	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	28
PID 2972 wrote to memory of 2732	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	30
PID 2972 wrote to memory of 2732	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	30
PID 2972 wrote to memory of 2732	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	30
PID 2972 wrote to memory of 2732	2972	568292d2e4101ca0c263f906e97344a4_JC.exe	30
PID 2732 wrote to memory of 2872	2732	cmd.exe	32
PID 2732 wrote to memory of 2872	2732	cmd.exe	32
PID 2732 wrote to memory of 2872	2732	cmd.exe	32
PID 2732 wrote to memory of 2872	2732	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\568292d2e4101ca0c263f906e97344a4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\568292d2e4101ca0c263f906e97344a4_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\568292d2e4101ca0c263f906e97344a4_JC.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
79KB

MD5
ab4209ee8991ac7dad5c30fd8eaa006e

SHA1
54fadd86d788d4d7ea8b254e2b3d39e42694a683

SHA256
5e1c6ddd3cfe6c834a2ac81526931aa418aca15750353fabd51f6a69660932d1

SHA512
9954b566e94e3811f5224568dd1a98dadafdc6d79b37cebf552034738dcb7dc40f9f87c1c58f5aa4303af333c88d353ae7a92d3110fca3a2d21220d4d4901a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
79KB

MD5
ab4209ee8991ac7dad5c30fd8eaa006e

SHA1
54fadd86d788d4d7ea8b254e2b3d39e42694a683

SHA256
5e1c6ddd3cfe6c834a2ac81526931aa418aca15750353fabd51f6a69660932d1

SHA512
9954b566e94e3811f5224568dd1a98dadafdc6d79b37cebf552034738dcb7dc40f9f87c1c58f5aa4303af333c88d353ae7a92d3110fca3a2d21220d4d4901a3e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
79KB

MD5
ab4209ee8991ac7dad5c30fd8eaa006e

SHA1
54fadd86d788d4d7ea8b254e2b3d39e42694a683

SHA256
5e1c6ddd3cfe6c834a2ac81526931aa418aca15750353fabd51f6a69660932d1

SHA512
9954b566e94e3811f5224568dd1a98dadafdc6d79b37cebf552034738dcb7dc40f9f87c1c58f5aa4303af333c88d353ae7a92d3110fca3a2d21220d4d4901a3e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
79KB

MD5
ab4209ee8991ac7dad5c30fd8eaa006e

SHA1
54fadd86d788d4d7ea8b254e2b3d39e42694a683

SHA256
5e1c6ddd3cfe6c834a2ac81526931aa418aca15750353fabd51f6a69660932d1

SHA512
9954b566e94e3811f5224568dd1a98dadafdc6d79b37cebf552034738dcb7dc40f9f87c1c58f5aa4303af333c88d353ae7a92d3110fca3a2d21220d4d4901a3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads