sakula | 20092dbc1daf981353fb869d8be7f2070953052f75808a949e34fbe9a156be7c

General

Target

9df73150049582985ec8abd22e42ce91_JC.exe
Size

42KB
MD5

9df73150049582985ec8abd22e42ce91
SHA1

5cf2b9bc98ac8eabf068c0ff08a74e7f0ace5682
SHA256

20092dbc1daf981353fb869d8be7f2070953052f75808a949e34fbe9a156be7c
SHA512

c5df3ccd06f8f47f83ac4308c9a7920eaf5ed210eac92da5c39392da11cd6da26680edfb4709dc73433d1734da04deb811faa4ef2bf135d5844e84d4f4dc7f59
SSDEEP

768:fvQB/z0pqrLoyT8I+E1j+KPPIYu8T0aTsJK56VO8XM0Wns+b2znpNqPM:fODhc+yBJW0WTU5XM1nJqjp00

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2808-8-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/3784-9-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/3784-11-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/2808-20-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/3784-24-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9df73150049582985ec8abd22e42ce91_JC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	9df73150049582985ec8abd22e42ce91_JC.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3784 MediaCenter.exe

pid	process
3784	MediaCenter.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2808-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2808-1-0x0000000000400000-0x0000000000424000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/3784-6-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2808-8-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3784-9-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3784-11-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2808-20-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3784-24-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9df73150049582985ec8abd22e42ce91_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	9df73150049582985ec8abd22e42ce91_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4544 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9df73150049582985ec8abd22e42ce91_JC.exe

description pid process

Token: SeIncBasePriorityPrivilege 2808 9df73150049582985ec8abd22e42ce91_JC.exe

pid	process
4544	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2808	9df73150049582985ec8abd22e42ce91_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9df73150049582985ec8abd22e42ce91_JC.execmd.exe

description	pid	process	target process
PID 2808 wrote to memory of 3784	2808	9df73150049582985ec8abd22e42ce91_JC.exe	MediaCenter.exe
PID 2808 wrote to memory of 3784	2808	9df73150049582985ec8abd22e42ce91_JC.exe	MediaCenter.exe
PID 2808 wrote to memory of 3784	2808	9df73150049582985ec8abd22e42ce91_JC.exe	MediaCenter.exe
PID 2808 wrote to memory of 1352	2808	9df73150049582985ec8abd22e42ce91_JC.exe	cmd.exe
PID 2808 wrote to memory of 1352	2808	9df73150049582985ec8abd22e42ce91_JC.exe	cmd.exe
PID 2808 wrote to memory of 1352	2808	9df73150049582985ec8abd22e42ce91_JC.exe	cmd.exe
PID 1352 wrote to memory of 4544	1352	cmd.exe	PING.EXE
PID 1352 wrote to memory of 4544	1352	cmd.exe	PING.EXE
PID 1352 wrote to memory of 4544	1352	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9df73150049582985ec8abd22e42ce91_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9df73150049582985ec8abd22e42ce91_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9df73150049582985ec8abd22e42ce91_JC.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
16648856eec11667b44835ccadde3094

SHA1
40f2577981418998dc1b2f7a2c2761550ea7d358

SHA256
c26f142b7025447fd8016338e3a192e0072754a64d045d98b3eb2ef38c66509d

SHA512
7caa1e3750312e29128e29ac22629ce19eb0843a32b976ce99154509ede7086a3c93b59cbb950842a0cbb6c02eeba6418bc655da8c7c624003e0909ecc07b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
16648856eec11667b44835ccadde3094

SHA1
40f2577981418998dc1b2f7a2c2761550ea7d358

SHA256
c26f142b7025447fd8016338e3a192e0072754a64d045d98b3eb2ef38c66509d

SHA512
7caa1e3750312e29128e29ac22629ce19eb0843a32b976ce99154509ede7086a3c93b59cbb950842a0cbb6c02eeba6418bc655da8c7c624003e0909ecc07b223

Download Submit
memory/2808-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3784-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3784-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3784-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3784-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads