sakula | a5394fc377a2f0e8f4260a40cb0a38f0a5b9e91466243e5e777ede07b65da2ab

General

Target

NEAS.f57221068bf350b5139860fa859ea350.exe
Size

37KB
MD5

f57221068bf350b5139860fa859ea350
SHA1

3d51a6a32f709934197d480ab2d3136cb5e2629f
SHA256

a5394fc377a2f0e8f4260a40cb0a38f0a5b9e91466243e5e777ede07b65da2ab
SHA512

13e97b64d4a970100e64f55dd18d6a1bff5969d57945c136a296cbe7b3c925bbab170919454decf19bb802274d9324c56e00fc24ca49f340cc43cbce0aebdd4f
SSDEEP

768:D7Xezc/T6Zp14hyYtoVxYF9mH8VQ1PcPW/M9zx:n6zqhyYtkYWRPTEzx

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3068 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2656 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.f57221068bf350b5139860fa859ea350.exe

pid process

2280 NEAS.f57221068bf350b5139860fa859ea350.exe
2280 NEAS.f57221068bf350b5139860fa859ea350.exe

pid	process
3068	cmd.exe

pid	process
2656	MediaCenter.exe

pid	process
2280	NEAS.f57221068bf350b5139860fa859ea350.exe
2280	NEAS.f57221068bf350b5139860fa859ea350.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2688 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2264 PING.EXE

pid	process
2688	reg.exe

pid	process
2264	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.f57221068bf350b5139860fa859ea350.execmd.execmd.exe

description	pid	process	target process
PID 2280 wrote to memory of 2888	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2280 wrote to memory of 2888	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2280 wrote to memory of 2888	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2280 wrote to memory of 2888	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2280 wrote to memory of 2656	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	MediaCenter.exe
PID 2280 wrote to memory of 2656	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	MediaCenter.exe
PID 2280 wrote to memory of 2656	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	MediaCenter.exe
PID 2280 wrote to memory of 2656	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	MediaCenter.exe
PID 2888 wrote to memory of 2688	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2688	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2688	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2688	2888	cmd.exe	reg.exe
PID 2280 wrote to memory of 3068	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2280 wrote to memory of 3068	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2280 wrote to memory of 3068	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2280 wrote to memory of 3068	2280	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 3068 wrote to memory of 2264	3068	cmd.exe	PING.EXE
PID 3068 wrote to memory of 2264	3068	cmd.exe	PING.EXE
PID 3068 wrote to memory of 2264	3068	cmd.exe	PING.EXE
PID 3068 wrote to memory of 2264	3068	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.f57221068bf350b5139860fa859ea350.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f57221068bf350b5139860fa859ea350.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2688

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.f57221068bf350b5139860fa859ea350.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
1eca9b65b093135c0f887d586f41935c

SHA1
18fcf815752c61c9e1b05d4ff645dab117240b08

SHA256
da657f3d6f915c558ee0782f33cccf82fa59ac05fb1611545e022bc918d03c85

SHA512
61ca7a23cfafa25b53df24dea5b3a6f9f5c5d3c1cbc22ceb15505b35a38dfa0fa6ae2ed8c54c57fe3cbf78d5598b9e52dfc7a33480e870bb38e4cebfe7f2d976

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
1eca9b65b093135c0f887d586f41935c

SHA1
18fcf815752c61c9e1b05d4ff645dab117240b08

SHA256
da657f3d6f915c558ee0782f33cccf82fa59ac05fb1611545e022bc918d03c85

SHA512
61ca7a23cfafa25b53df24dea5b3a6f9f5c5d3c1cbc22ceb15505b35a38dfa0fa6ae2ed8c54c57fe3cbf78d5598b9e52dfc7a33480e870bb38e4cebfe7f2d976

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
1eca9b65b093135c0f887d586f41935c

SHA1
18fcf815752c61c9e1b05d4ff645dab117240b08

SHA256
da657f3d6f915c558ee0782f33cccf82fa59ac05fb1611545e022bc918d03c85

SHA512
61ca7a23cfafa25b53df24dea5b3a6f9f5c5d3c1cbc22ceb15505b35a38dfa0fa6ae2ed8c54c57fe3cbf78d5598b9e52dfc7a33480e870bb38e4cebfe7f2d976

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
1eca9b65b093135c0f887d586f41935c

SHA1
18fcf815752c61c9e1b05d4ff645dab117240b08

SHA256
da657f3d6f915c558ee0782f33cccf82fa59ac05fb1611545e022bc918d03c85

SHA512
61ca7a23cfafa25b53df24dea5b3a6f9f5c5d3c1cbc22ceb15505b35a38dfa0fa6ae2ed8c54c57fe3cbf78d5598b9e52dfc7a33480e870bb38e4cebfe7f2d976

Download Submit
memory/2280-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads