sakula | 1d9deea1f2460ec87569b0af5f2693a0b36a80aacdedda1ecce870bb56749de2

General

Target

7e9c917a00d385169f54f0302f39adb0_exe32.exe
Size

67KB
MD5

7e9c917a00d385169f54f0302f39adb0
SHA1

404ab31a239a7ed764a31ddebea39bf6242cd957
SHA256

1d9deea1f2460ec87569b0af5f2693a0b36a80aacdedda1ecce870bb56749de2
SHA512

65ef31aefc3d45f51ab2f6b3d8af861a3c2b00600f98d476b79465eaabb096d990f6034097031e356b4bef524ce14a9d6a3a39e9fca6f77f315e3b6fe7065575
SSDEEP

768:u7Xezc/T6Zp14hyYtoVxYF9mHF1yD3BmNV8PsED3VK2+ZtyOjgO4r9vFAg2rqb:a6zqhyYtkYWI3BDYTjipvF2W

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2528 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3028 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

7e9c917a00d385169f54f0302f39adb0_exe32.exe

pid process

3044 7e9c917a00d385169f54f0302f39adb0_exe32.exe
3044 7e9c917a00d385169f54f0302f39adb0_exe32.exe

pid	process
2528	cmd.exe

pid	process
3028	MediaCenter.exe

pid	process
3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe
3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2612 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2764 PING.EXE

pid	process
2612	reg.exe

pid	process
2764	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7e9c917a00d385169f54f0302f39adb0_exe32.execmd.execmd.exe

description	pid	process	target process
PID 3044 wrote to memory of 2316	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 3044 wrote to memory of 2316	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 3044 wrote to memory of 2316	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 3044 wrote to memory of 2316	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 3044 wrote to memory of 3028	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	MediaCenter.exe
PID 3044 wrote to memory of 3028	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	MediaCenter.exe
PID 3044 wrote to memory of 3028	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	MediaCenter.exe
PID 3044 wrote to memory of 3028	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	MediaCenter.exe
PID 2316 wrote to memory of 2612	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2612	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2612	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2612	2316	cmd.exe	reg.exe
PID 3044 wrote to memory of 2528	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 3044 wrote to memory of 2528	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 3044 wrote to memory of 2528	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 3044 wrote to memory of 2528	3044	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 2528 wrote to memory of 2764	2528	cmd.exe	PING.EXE
PID 2528 wrote to memory of 2764	2528	cmd.exe	PING.EXE
PID 2528 wrote to memory of 2764	2528	cmd.exe	PING.EXE
PID 2528 wrote to memory of 2764	2528	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2612

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
67KB

MD5
5b0ab64f321785bd97c4d02f11e982f5

SHA1
a1bb7cf5906c951064d7fccb0e7a14a553b80f72

SHA256
0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515

SHA512
d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
67KB

MD5
5b0ab64f321785bd97c4d02f11e982f5

SHA1
a1bb7cf5906c951064d7fccb0e7a14a553b80f72

SHA256
0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515

SHA512
d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
67KB

MD5
5b0ab64f321785bd97c4d02f11e982f5

SHA1
a1bb7cf5906c951064d7fccb0e7a14a553b80f72

SHA256
0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515

SHA512
d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
67KB

MD5
5b0ab64f321785bd97c4d02f11e982f5

SHA1
a1bb7cf5906c951064d7fccb0e7a14a553b80f72

SHA256
0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515

SHA512
d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

Download Submit
memory/3028-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3044-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3044-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3044-9-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/3044-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads