Malware Analysis Report

2024-11-13 18:44

Sample ID 231012-xsjm1ahg6w
Target ed0585b165ddf521f147f423ac2598b3_JC.exe
SHA256 e90689d3748f94db3053fdd7c2b522f4de5a3ac6277ebc9c941123c2d8af2a17
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e90689d3748f94db3053fdd7c2b522f4de5a3ac6277ebc9c941123c2d8af2a17

Threat Level: Known bad

The file ed0585b165ddf521f147f423ac2598b3_JC.exe was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula payload

Sakula

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 19:06

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 19:06

Reported

2023-10-17 12:42

Platform

win7-20230831-en

Max time kernel

136s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2432 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2432 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2432 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2432 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2432 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2432 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp

Files

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 496de98c847fbbf8a8c053007e96fdf7
SHA1 71060e9f2384001e33fb7bb96b43a4ed4498cbca
SHA256 ccf68f3ea99fd8b6328799eb70a73dec5b951d4e49ee4b6d35f2037fc6a4a7a5
SHA512 d9646c89b2c2e4caceedad306261000c347c7c0cbe64344d2f9515f8f426cedca8d217f32650800687c1e26d1e698242b2cbccc44d58c9dbe285138e1eff3945

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 496de98c847fbbf8a8c053007e96fdf7
SHA1 71060e9f2384001e33fb7bb96b43a4ed4498cbca
SHA256 ccf68f3ea99fd8b6328799eb70a73dec5b951d4e49ee4b6d35f2037fc6a4a7a5
SHA512 d9646c89b2c2e4caceedad306261000c347c7c0cbe64344d2f9515f8f426cedca8d217f32650800687c1e26d1e698242b2cbccc44d58c9dbe285138e1eff3945

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 496de98c847fbbf8a8c053007e96fdf7
SHA1 71060e9f2384001e33fb7bb96b43a4ed4498cbca
SHA256 ccf68f3ea99fd8b6328799eb70a73dec5b951d4e49ee4b6d35f2037fc6a4a7a5
SHA512 d9646c89b2c2e4caceedad306261000c347c7c0cbe64344d2f9515f8f426cedca8d217f32650800687c1e26d1e698242b2cbccc44d58c9dbe285138e1eff3945

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 496de98c847fbbf8a8c053007e96fdf7
SHA1 71060e9f2384001e33fb7bb96b43a4ed4498cbca
SHA256 ccf68f3ea99fd8b6328799eb70a73dec5b951d4e49ee4b6d35f2037fc6a4a7a5
SHA512 d9646c89b2c2e4caceedad306261000c347c7c0cbe64344d2f9515f8f426cedca8d217f32650800687c1e26d1e698242b2cbccc44d58c9dbe285138e1eff3945

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 496de98c847fbbf8a8c053007e96fdf7
SHA1 71060e9f2384001e33fb7bb96b43a4ed4498cbca
SHA256 ccf68f3ea99fd8b6328799eb70a73dec5b951d4e49ee4b6d35f2037fc6a4a7a5
SHA512 d9646c89b2c2e4caceedad306261000c347c7c0cbe64344d2f9515f8f426cedca8d217f32650800687c1e26d1e698242b2cbccc44d58c9dbe285138e1eff3945

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 496de98c847fbbf8a8c053007e96fdf7
SHA1 71060e9f2384001e33fb7bb96b43a4ed4498cbca
SHA256 ccf68f3ea99fd8b6328799eb70a73dec5b951d4e49ee4b6d35f2037fc6a4a7a5
SHA512 d9646c89b2c2e4caceedad306261000c347c7c0cbe64344d2f9515f8f426cedca8d217f32650800687c1e26d1e698242b2cbccc44d58c9dbe285138e1eff3945

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 19:06

Reported

2023-10-17 12:43

Platform

win10v2004-20230915-en

Max time kernel

159s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ed0585b165ddf521f147f423ac2598b3_JC.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 www.savmpet.com udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 34.41.229.245:80 www.savmpet.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 5fa5fa48b1363f3a08d1acb6e0ff9058
SHA1 8d00c0aac49b8b07e2d5ebb749b7a603b88527dd
SHA256 8e15c394841fb7120f735dc2a08f0d8de4fb718f9f9f178a750feeeae8ae300d
SHA512 46614da27a5196c9addbaebfa978da3998e23f1cba33a8f72bcca50396ee08cc555e744df01eda9cb83f270031f38e3cd885401d2f85ea1c14f35d799b4d16d1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 5fa5fa48b1363f3a08d1acb6e0ff9058
SHA1 8d00c0aac49b8b07e2d5ebb749b7a603b88527dd
SHA256 8e15c394841fb7120f735dc2a08f0d8de4fb718f9f9f178a750feeeae8ae300d
SHA512 46614da27a5196c9addbaebfa978da3998e23f1cba33a8f72bcca50396ee08cc555e744df01eda9cb83f270031f38e3cd885401d2f85ea1c14f35d799b4d16d1