sakula | 09f8bdd7041169a225593f93692e5f6a5610de3339396cd1212349978a05001d

General

Target

0364d40f6d2b412a5abd49f3ecde9e10.exe
Size

96KB
MD5

0364d40f6d2b412a5abd49f3ecde9e10
SHA1

0539adc8646842fccb198750f78c201ef0f1bedd
SHA256

09f8bdd7041169a225593f93692e5f6a5610de3339396cd1212349978a05001d
SHA512

acad97f791b7682d39d329eb7fc4efc94e764ed41b74f06a0c3b9eb3c56b950bf49ff2a9a1812f7c707122c1c3520debfd31eabf8e674fb151621cb1540d5971
SSDEEP

1536:rODhc+yBJW0WTU5XM1nJqjp0DNDCkruZqcuOuz/xSL:ku+kJHB8FJqjpq7uZwOuz/xSL

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3908-5-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/2452-7-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral2/memory/3908-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0364d40f6d2b412a5abd49f3ecde9e10.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	0364d40f6d2b412a5abd49f3ecde9e10.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2452 MediaCenter.exe

pid	process
2452	MediaCenter.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3908-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/3908-5-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2452-7-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3908-12-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0364d40f6d2b412a5abd49f3ecde9e10.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0364d40f6d2b412a5abd49f3ecde9e10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4112 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0364d40f6d2b412a5abd49f3ecde9e10.exesvchost.exe

description pid process

Token: SeIncBasePriorityPrivilege 3908 0364d40f6d2b412a5abd49f3ecde9e10.exe
Token: SeManageVolumePrivilege 4852 svchost.exe

pid	process
4112	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3908	0364d40f6d2b412a5abd49f3ecde9e10.exe
Token: SeManageVolumePrivilege	4852	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0364d40f6d2b412a5abd49f3ecde9e10.execmd.exe

description	pid	process	target process
PID 3908 wrote to memory of 2452	3908	0364d40f6d2b412a5abd49f3ecde9e10.exe	MediaCenter.exe
PID 3908 wrote to memory of 2452	3908	0364d40f6d2b412a5abd49f3ecde9e10.exe	MediaCenter.exe
PID 3908 wrote to memory of 2452	3908	0364d40f6d2b412a5abd49f3ecde9e10.exe	MediaCenter.exe
PID 3908 wrote to memory of 636	3908	0364d40f6d2b412a5abd49f3ecde9e10.exe	cmd.exe
PID 3908 wrote to memory of 636	3908	0364d40f6d2b412a5abd49f3ecde9e10.exe	cmd.exe
PID 3908 wrote to memory of 636	3908	0364d40f6d2b412a5abd49f3ecde9e10.exe	cmd.exe
PID 636 wrote to memory of 4112	636	cmd.exe	PING.EXE
PID 636 wrote to memory of 4112	636	cmd.exe	PING.EXE
PID 636 wrote to memory of 4112	636	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0364d40f6d2b412a5abd49f3ecde9e10.exe
"C:\Users\Admin\AppData\Local\Temp\0364d40f6d2b412a5abd49f3ecde9e10.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0364d40f6d2b412a5abd49f3ecde9e10.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4112

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
6504aa21cd3406a8c07f51174da7664e

SHA1
d695cd9ceceee954b49dae9c42e8cd7a13e7cd99

SHA256
896ac2b483a5c7d2d019752c01a553205cb068c08c7514733e2f76b7d425ca31

SHA512
f457ebc1f14bba1f11f7da472e5290f76ccfe4b2850e93039700613f60d2b35d68d4bf0957e9563716724351e5448b30db270901771b928d72c3aa22bfd923f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\dvnsntkx467796445[1].htm
Filesize
1KB

MD5
b8e5031ea545c52885f5e92f753dfa29

SHA1
caa26c58c4c50e0d1227a7d06b44171e4727c49f

SHA256
a2feeca638d07f490ab9a6808d334259ac823b8dc7d1d6a0408ce977c790bef2

SHA512
0d2e1e0b87a73f95f40d66a83200ea82b2d34f28d3b27aac3bb89a1edf323cfe6b681ce7f21b440880e07706d76fe90f6c8c3bda14b0c82837dee384a89713c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
96KB

MD5
8e539f4e62552376521cd5062fd3559b

SHA1
cce72a84a4cc968a0fa5c1169ac4a6b647a83293

SHA256
2843c834e7d53ffe82ff5bc858db28a25737653cd4d062c648d7b63e155ba18a

SHA512
418a53293db9a789f77c2068c5bc3b9d09d1f4feb39a8c520e3c289816c99367b8dbccd5f802b5ceb374a316191765c7aecde669fd2ff6860d232d5b6b94b8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
96KB

MD5
8e539f4e62552376521cd5062fd3559b

SHA1
cce72a84a4cc968a0fa5c1169ac4a6b647a83293

SHA256
2843c834e7d53ffe82ff5bc858db28a25737653cd4d062c648d7b63e155ba18a

SHA512
418a53293db9a789f77c2068c5bc3b9d09d1f4feb39a8c520e3c289816c99367b8dbccd5f802b5ceb374a316191765c7aecde669fd2ff6860d232d5b6b94b8d5

Download Submit
memory/2452-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3908-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3908-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3908-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4852-66-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-71-0x000001A4A41C0000-0x000001A4A41C1000-memory.dmp

Filesize
4KB

Download
memory/4852-62-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-63-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-64-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-65-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-58-0x000001A4A4570000-0x000001A4A4571000-memory.dmp

Filesize
4KB

Download
memory/4852-67-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-68-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-69-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-70-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-59-0x000001A4A4590000-0x000001A4A4591000-memory.dmp

Filesize
4KB

Download
memory/4852-72-0x000001A4A41B0000-0x000001A4A41B1000-memory.dmp

Filesize
4KB

Download
memory/4852-74-0x000001A4A41C0000-0x000001A4A41C1000-memory.dmp

Filesize
4KB

Download
memory/4852-77-0x000001A4A41B0000-0x000001A4A41B1000-memory.dmp

Filesize
4KB

Download
memory/4852-80-0x000001A4A40F0000-0x000001A4A40F1000-memory.dmp

Filesize
4KB

Download
memory/4852-42-0x000001A49BF80000-0x000001A49BF90000-memory.dmp

Filesize
64KB

Download
memory/4852-92-0x000001A4A42F0000-0x000001A4A42F1000-memory.dmp

Filesize
4KB

Download
memory/4852-94-0x000001A4A4300000-0x000001A4A4301000-memory.dmp

Filesize
4KB

Download
memory/4852-95-0x000001A4A4300000-0x000001A4A4301000-memory.dmp

Filesize
4KB

Download
memory/4852-26-0x000001A49BE80000-0x000001A49BE90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads