sakula | f988e1706878a2e93a7331ad1ec76c43fef3f9320d8c5795834e4717dcbeb2ef

General

Target

NEAS.31aa06702e3563d705d5f9f20a96bae0.exe
Size

37KB
MD5

31aa06702e3563d705d5f9f20a96bae0
SHA1

56aa666b4acdbe881f8d50c734f57bdeba58949c
SHA256

f988e1706878a2e93a7331ad1ec76c43fef3f9320d8c5795834e4717dcbeb2ef
SHA512

b8c3b3145f441bd7bf0bcff759177aecd9fbba1326cc9c3274084f3f0d4498c38f16add98da8180e9e93bb37e017a9a62ff415523b006956865617d1d537cba7
SSDEEP

768:D7Xezc/T6Zp14hyYtoVxYF9mH8VQ1PcPW/M9ze:n6zqhyYtkYWRPTEze

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2832 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2452 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.31aa06702e3563d705d5f9f20a96bae0.exe

pid process

3040 NEAS.31aa06702e3563d705d5f9f20a96bae0.exe
3040 NEAS.31aa06702e3563d705d5f9f20a96bae0.exe

pid	process
2832	cmd.exe

pid	process
2452	MediaCenter.exe

pid	process
3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe
3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2496 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2740 PING.EXE

pid	process
2496	reg.exe

pid	process
2740	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.31aa06702e3563d705d5f9f20a96bae0.execmd.execmd.exe

description	pid	process	target process
PID 3040 wrote to memory of 2480	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 3040 wrote to memory of 2480	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 3040 wrote to memory of 2480	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 3040 wrote to memory of 2480	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 3040 wrote to memory of 2452	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	MediaCenter.exe
PID 3040 wrote to memory of 2452	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	MediaCenter.exe
PID 3040 wrote to memory of 2452	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	MediaCenter.exe
PID 3040 wrote to memory of 2452	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	MediaCenter.exe
PID 2480 wrote to memory of 2496	2480	cmd.exe	reg.exe
PID 2480 wrote to memory of 2496	2480	cmd.exe	reg.exe
PID 2480 wrote to memory of 2496	2480	cmd.exe	reg.exe
PID 2480 wrote to memory of 2496	2480	cmd.exe	reg.exe
PID 3040 wrote to memory of 2832	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 3040 wrote to memory of 2832	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 3040 wrote to memory of 2832	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 3040 wrote to memory of 2832	3040	NEAS.31aa06702e3563d705d5f9f20a96bae0.exe	cmd.exe
PID 2832 wrote to memory of 2740	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2740	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2740	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2740	2832	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.31aa06702e3563d705d5f9f20a96bae0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.31aa06702e3563d705d5f9f20a96bae0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2496

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.31aa06702e3563d705d5f9f20a96bae0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
b0c679b003a0dff9fc6fc64cf5551441

SHA1
cb3c05e8f8eed3b180bba55550a555ee0ac050ca

SHA256
30e496ce105d61f723f48bc9a183f6c689b1a42ec3e063523ca855cdba3268b8

SHA512
6c85eedded9ac15868936125f571fc9084b93e7327f4e8bc8139f8d9050fbaf4b3a0957f9e8a2f0a9ca1da17c6ea7605a19e1295ca58756fb64c3701ac31fd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
b0c679b003a0dff9fc6fc64cf5551441

SHA1
cb3c05e8f8eed3b180bba55550a555ee0ac050ca

SHA256
30e496ce105d61f723f48bc9a183f6c689b1a42ec3e063523ca855cdba3268b8

SHA512
6c85eedded9ac15868936125f571fc9084b93e7327f4e8bc8139f8d9050fbaf4b3a0957f9e8a2f0a9ca1da17c6ea7605a19e1295ca58756fb64c3701ac31fd51

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
b0c679b003a0dff9fc6fc64cf5551441

SHA1
cb3c05e8f8eed3b180bba55550a555ee0ac050ca

SHA256
30e496ce105d61f723f48bc9a183f6c689b1a42ec3e063523ca855cdba3268b8

SHA512
6c85eedded9ac15868936125f571fc9084b93e7327f4e8bc8139f8d9050fbaf4b3a0957f9e8a2f0a9ca1da17c6ea7605a19e1295ca58756fb64c3701ac31fd51

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
b0c679b003a0dff9fc6fc64cf5551441

SHA1
cb3c05e8f8eed3b180bba55550a555ee0ac050ca

SHA256
30e496ce105d61f723f48bc9a183f6c689b1a42ec3e063523ca855cdba3268b8

SHA512
6c85eedded9ac15868936125f571fc9084b93e7327f4e8bc8139f8d9050fbaf4b3a0957f9e8a2f0a9ca1da17c6ea7605a19e1295ca58756fb64c3701ac31fd51

Download Submit
memory/3040-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads