sakula | 89f63ace8b3fc8a20de4ee08ddf407d31ce045ed3d6d2f82101e567566c05935

General

Target

NEAS.a6549d8fd84d82830947970626901a00_JC.exe
Size

72KB
MD5

a6549d8fd84d82830947970626901a00
SHA1

b3c175344c41ab9e55f65638df172416d027c20b
SHA256

89f63ace8b3fc8a20de4ee08ddf407d31ce045ed3d6d2f82101e567566c05935
SHA512

a1a919a286741a52fae8a211a8f3174b2373b9cddf493e419fb9f582eb23312ef9a06f805c09a1c5dbaba34bc23c12051ae84ea4980b593642f3907412c5edf0
SSDEEP

768:q7Xezc/T6Zp14hyYtoVxYF9mHfCBJTAIO3OtYVW6QptwyI:G6zqhyYtkYW/CPnO3ajwyI

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2488 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1148 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.a6549d8fd84d82830947970626901a00_JC.exe

pid process

2192 NEAS.a6549d8fd84d82830947970626901a00_JC.exe
2192 NEAS.a6549d8fd84d82830947970626901a00_JC.exe

pid	process
2488	cmd.exe

pid	process
1148	MediaCenter.exe

pid	process
2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe
2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2688 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2544 PING.EXE

pid	process
2688	reg.exe

pid	process
2544	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.a6549d8fd84d82830947970626901a00_JC.execmd.execmd.exe

description	pid	process	target process
PID 2192 wrote to memory of 2468	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2192 wrote to memory of 2468	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2192 wrote to memory of 2468	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2192 wrote to memory of 2468	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2192 wrote to memory of 1148	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	MediaCenter.exe
PID 2192 wrote to memory of 1148	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	MediaCenter.exe
PID 2192 wrote to memory of 1148	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	MediaCenter.exe
PID 2192 wrote to memory of 1148	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	MediaCenter.exe
PID 2468 wrote to memory of 2688	2468	cmd.exe	reg.exe
PID 2468 wrote to memory of 2688	2468	cmd.exe	reg.exe
PID 2468 wrote to memory of 2688	2468	cmd.exe	reg.exe
PID 2468 wrote to memory of 2688	2468	cmd.exe	reg.exe
PID 2192 wrote to memory of 2488	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2192 wrote to memory of 2488	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2192 wrote to memory of 2488	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2192 wrote to memory of 2488	2192	NEAS.a6549d8fd84d82830947970626901a00_JC.exe	cmd.exe
PID 2488 wrote to memory of 2544	2488	cmd.exe	PING.EXE
PID 2488 wrote to memory of 2544	2488	cmd.exe	PING.EXE
PID 2488 wrote to memory of 2544	2488	cmd.exe	PING.EXE
PID 2488 wrote to memory of 2544	2488	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.a6549d8fd84d82830947970626901a00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a6549d8fd84d82830947970626901a00_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2688

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.a6549d8fd84d82830947970626901a00_JC.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
7c8559daba8fbc697bebde35a0e0bbad

SHA1
051cda10aaf251e518a8dc965e4b1c0297bd23b8

SHA256
17bedea76172bc682fc1387dfcc187aba250415364ad9bf0280f3137c9bfe5b1

SHA512
1efdf0d9fadcf9175e149fe7a936cbfef83740ee7da9196485eb514d698fe8d089a8b7fe6860114e24725c6575bc2cb1e9974798e7dd2a7ddf7b129f0efb81be

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
7c8559daba8fbc697bebde35a0e0bbad

SHA1
051cda10aaf251e518a8dc965e4b1c0297bd23b8

SHA256
17bedea76172bc682fc1387dfcc187aba250415364ad9bf0280f3137c9bfe5b1

SHA512
1efdf0d9fadcf9175e149fe7a936cbfef83740ee7da9196485eb514d698fe8d089a8b7fe6860114e24725c6575bc2cb1e9974798e7dd2a7ddf7b129f0efb81be

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
7c8559daba8fbc697bebde35a0e0bbad

SHA1
051cda10aaf251e518a8dc965e4b1c0297bd23b8

SHA256
17bedea76172bc682fc1387dfcc187aba250415364ad9bf0280f3137c9bfe5b1

SHA512
1efdf0d9fadcf9175e149fe7a936cbfef83740ee7da9196485eb514d698fe8d089a8b7fe6860114e24725c6575bc2cb1e9974798e7dd2a7ddf7b129f0efb81be

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
7c8559daba8fbc697bebde35a0e0bbad

SHA1
051cda10aaf251e518a8dc965e4b1c0297bd23b8

SHA256
17bedea76172bc682fc1387dfcc187aba250415364ad9bf0280f3137c9bfe5b1

SHA512
1efdf0d9fadcf9175e149fe7a936cbfef83740ee7da9196485eb514d698fe8d089a8b7fe6860114e24725c6575bc2cb1e9974798e7dd2a7ddf7b129f0efb81be

Download Submit
memory/1148-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2192-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2192-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2192-9-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2192-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2192-13-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads