sakula | 5de08d92f9bec7c08bf0ea54746c1588c656b2d071fb9fd3a54c0527e2b130b8

General

Target

NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe
Size

72KB
MD5

582caefe13bda3894d0ebbf6fa396ca0
SHA1

535061c4120076749220b134fe7834d5c1be5725
SHA256

5de08d92f9bec7c08bf0ea54746c1588c656b2d071fb9fd3a54c0527e2b130b8
SHA512

75e71e5adc468118eaf1cd5ec832bad0ffb824a534c0a0a862c71a15e49f3b4f5d9356bb698eb28c5f3c5b198149789ea77b40e6929e449ae4f3e2186fd1faa2
SSDEEP

768:q7Xezc/T6Zp14hyYtoVxYF9mHfCBJTAIO3OtYVW6QptwyR:G6zqhyYtkYW/CPnO3ajwyR

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2496 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3048 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe

pid process

2380 NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe
2380 NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe

pid	process
2496	cmd.exe

pid	process
3048	MediaCenter.exe

pid	process
2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe
2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2316 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2624 PING.EXE

pid	process
2316	reg.exe

pid	process
2624	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.execmd.execmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 2296	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2380 wrote to memory of 2296	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2380 wrote to memory of 2296	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2380 wrote to memory of 2296	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2380 wrote to memory of 3048	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	MediaCenter.exe
PID 2380 wrote to memory of 3048	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	MediaCenter.exe
PID 2380 wrote to memory of 3048	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	MediaCenter.exe
PID 2380 wrote to memory of 3048	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	MediaCenter.exe
PID 2296 wrote to memory of 2316	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2316	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2316	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2316	2296	cmd.exe	reg.exe
PID 2380 wrote to memory of 2496	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2380 wrote to memory of 2496	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2380 wrote to memory of 2496	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2380 wrote to memory of 2496	2380	NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe	cmd.exe
PID 2496 wrote to memory of 2624	2496	cmd.exe	PING.EXE
PID 2496 wrote to memory of 2624	2496	cmd.exe	PING.EXE
PID 2496 wrote to memory of 2624	2496	cmd.exe	PING.EXE
PID 2496 wrote to memory of 2624	2496	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2316

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.582caefe13bda3894d0ebbf6fa396ca0_JC.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
5778b0c1597ba5b68ccd88bb3c852e04

SHA1
71b11d3ad0faa6233d738643098b9706b450d713

SHA256
0885dc0d98880ba15b2dc8192a9124a8d8bd46e097c1614c5daf37da60e663a7

SHA512
c8aa15eab62cd1df46c5f8a745b34fc39cc6fd2907a61edc648fd4f6fee7fb8d415280e2d68c3e0dbd7ba66aa0a33bdb242255635743845cf1db0dc09f0a9f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
5778b0c1597ba5b68ccd88bb3c852e04

SHA1
71b11d3ad0faa6233d738643098b9706b450d713

SHA256
0885dc0d98880ba15b2dc8192a9124a8d8bd46e097c1614c5daf37da60e663a7

SHA512
c8aa15eab62cd1df46c5f8a745b34fc39cc6fd2907a61edc648fd4f6fee7fb8d415280e2d68c3e0dbd7ba66aa0a33bdb242255635743845cf1db0dc09f0a9f5f

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
5778b0c1597ba5b68ccd88bb3c852e04

SHA1
71b11d3ad0faa6233d738643098b9706b450d713

SHA256
0885dc0d98880ba15b2dc8192a9124a8d8bd46e097c1614c5daf37da60e663a7

SHA512
c8aa15eab62cd1df46c5f8a745b34fc39cc6fd2907a61edc648fd4f6fee7fb8d415280e2d68c3e0dbd7ba66aa0a33bdb242255635743845cf1db0dc09f0a9f5f

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
5778b0c1597ba5b68ccd88bb3c852e04

SHA1
71b11d3ad0faa6233d738643098b9706b450d713

SHA256
0885dc0d98880ba15b2dc8192a9124a8d8bd46e097c1614c5daf37da60e663a7

SHA512
c8aa15eab62cd1df46c5f8a745b34fc39cc6fd2907a61edc648fd4f6fee7fb8d415280e2d68c3e0dbd7ba66aa0a33bdb242255635743845cf1db0dc09f0a9f5f

Download Submit
memory/2380-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-9-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2380-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3048-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3048-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads