Malware Analysis Report

2024-11-13 18:44

Sample ID 231015-yeemkadc6s
Target 996d9a8ea67e8a858088141a60696ee0_exe32.exe
SHA256 5427f52a114956785f0ed84d43b5ca4fa093fd8ac1bc2c9e663167e1b8876096
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5427f52a114956785f0ed84d43b5ca4fa093fd8ac1bc2c9e663167e1b8876096

Threat Level: Known bad

The file 996d9a8ea67e8a858088141a60696ee0_exe32.exe was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula payload

Sakula

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 19:41

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 19:41

Reported

2023-10-15 22:41

Platform

win7-20230831-en

Max time kernel

130s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2452 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2452 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2452 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2452 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2452 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2452 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe

"C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp

Files

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 a80c6cf399331249aa887ec92e7bd258
SHA1 82c2fbe51708b48fc0007ded179796259eb6c5b4
SHA256 4e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512 d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 a80c6cf399331249aa887ec92e7bd258
SHA1 82c2fbe51708b48fc0007ded179796259eb6c5b4
SHA256 4e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512 d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 a80c6cf399331249aa887ec92e7bd258
SHA1 82c2fbe51708b48fc0007ded179796259eb6c5b4
SHA256 4e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512 d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 a80c6cf399331249aa887ec92e7bd258
SHA1 82c2fbe51708b48fc0007ded179796259eb6c5b4
SHA256 4e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512 d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 a80c6cf399331249aa887ec92e7bd258
SHA1 82c2fbe51708b48fc0007ded179796259eb6c5b4
SHA256 4e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512 d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 a80c6cf399331249aa887ec92e7bd258
SHA1 82c2fbe51708b48fc0007ded179796259eb6c5b4
SHA256 4e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512 d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 19:41

Reported

2023-10-15 22:40

Platform

win10v2004-20230915-en

Max time kernel

167s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe

"C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 www.savmpet.com udp
US 34.41.229.245:80 www.savmpet.com tcp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 34.41.229.245:80 www.savmpet.com tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 www.savmpet.com tcp
US 34.41.229.245:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 dc0a7a6ea944ad22c235a8d082578513
SHA1 4aaf2150e0777793379768726ed1e852c9e97da7
SHA256 267b86e67d6a7936bb911c30d7943346bf62a06e3d6b99238b714a6d8fe7a8a4
SHA512 629f552ce890ea8224141ee8761666c4414e088131554b8346fd128fcad63a4f805583a7a6f3879de3b07a3533a28a8dcfe98b7602c42586071de116de05ad5f

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 dc0a7a6ea944ad22c235a8d082578513
SHA1 4aaf2150e0777793379768726ed1e852c9e97da7
SHA256 267b86e67d6a7936bb911c30d7943346bf62a06e3d6b99238b714a6d8fe7a8a4
SHA512 629f552ce890ea8224141ee8761666c4414e088131554b8346fd128fcad63a4f805583a7a6f3879de3b07a3533a28a8dcfe98b7602c42586071de116de05ad5f