sakula | 3be8c5f9e27fefd24fa6f92e11bc970a3b858776758aa28e6e0e26c5aa5d4cdb

General

Target

NEAS.895ac5f3879eb59072aa62acfb199ea0.exe
Size

42KB
MD5

895ac5f3879eb59072aa62acfb199ea0
SHA1

345c7505418c4b12abd53d431037fcadc191a854
SHA256

3be8c5f9e27fefd24fa6f92e11bc970a3b858776758aa28e6e0e26c5aa5d4cdb
SHA512

a7af1baf4c97701a2fd61f89cf896e0120f9ce879ef05e9fe4dc5cd7ea53c6b9dbf06e209e3535aad22bba4db3dbe7071b38d5a369e9e1c9ed8f67dd9bbcf3bc
SSDEEP

192:+UoHtBBPR/wn3VGswB1ZztrM5gwX/wJlB5rC/42oq+vLtr9ZCspE+TMgrZMVQ/Eg:Hk6g7trW54DLdAeMvVQ/97wRiVojZG

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2536 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2216 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.895ac5f3879eb59072aa62acfb199ea0.exe

pid process

536 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe
536 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe

pid	process
2536	cmd.exe

pid	process
2216	MediaCenter.exe

pid	process
536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe
536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/536-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/536-1-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/536-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/536-3-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/2216-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/536-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2216-18-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3044 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2968 PING.EXE

pid	process
3044	reg.exe

pid	process
2968	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.895ac5f3879eb59072aa62acfb199ea0.execmd.execmd.exe

description	pid	process	target process
PID 536 wrote to memory of 1728	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 536 wrote to memory of 1728	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 536 wrote to memory of 1728	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 536 wrote to memory of 1728	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 536 wrote to memory of 2216	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	MediaCenter.exe
PID 536 wrote to memory of 2216	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	MediaCenter.exe
PID 536 wrote to memory of 2216	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	MediaCenter.exe
PID 536 wrote to memory of 2216	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	MediaCenter.exe
PID 1728 wrote to memory of 3044	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 3044	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 3044	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 3044	1728	cmd.exe	reg.exe
PID 536 wrote to memory of 2536	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 536 wrote to memory of 2536	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 536 wrote to memory of 2536	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 536 wrote to memory of 2536	536	NEAS.895ac5f3879eb59072aa62acfb199ea0.exe	cmd.exe
PID 2536 wrote to memory of 2968	2536	cmd.exe	PING.EXE
PID 2536 wrote to memory of 2968	2536	cmd.exe	PING.EXE
PID 2536 wrote to memory of 2968	2536	cmd.exe	PING.EXE
PID 2536 wrote to memory of 2968	2536	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.895ac5f3879eb59072aa62acfb199ea0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.895ac5f3879eb59072aa62acfb199ea0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3044

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.895ac5f3879eb59072aa62acfb199ea0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
2455e4aa4c0e108a436cf90959ee0f0b

SHA1
31bf9788b7681f18bec313ae4ebb15962ad3e5b0

SHA256
32cbf65f93d19d85eb5735130647bd29efd0ff4b1ecebb590c05b2f77be4c856

SHA512
de51616fde6443db354c6502d4a180527c95b85ace82b541d3572a1436fa6b1d7ac1d4a660c9c32ef2c9c202e57b79320582f261257c699e5103b176455724bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
2455e4aa4c0e108a436cf90959ee0f0b

SHA1
31bf9788b7681f18bec313ae4ebb15962ad3e5b0

SHA256
32cbf65f93d19d85eb5735130647bd29efd0ff4b1ecebb590c05b2f77be4c856

SHA512
de51616fde6443db354c6502d4a180527c95b85ace82b541d3572a1436fa6b1d7ac1d4a660c9c32ef2c9c202e57b79320582f261257c699e5103b176455724bb

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
2455e4aa4c0e108a436cf90959ee0f0b

SHA1
31bf9788b7681f18bec313ae4ebb15962ad3e5b0

SHA256
32cbf65f93d19d85eb5735130647bd29efd0ff4b1ecebb590c05b2f77be4c856

SHA512
de51616fde6443db354c6502d4a180527c95b85ace82b541d3572a1436fa6b1d7ac1d4a660c9c32ef2c9c202e57b79320582f261257c699e5103b176455724bb

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
2455e4aa4c0e108a436cf90959ee0f0b

SHA1
31bf9788b7681f18bec313ae4ebb15962ad3e5b0

SHA256
32cbf65f93d19d85eb5735130647bd29efd0ff4b1ecebb590c05b2f77be4c856

SHA512
de51616fde6443db354c6502d4a180527c95b85ace82b541d3572a1436fa6b1d7ac1d4a660c9c32ef2c9c202e57b79320582f261257c699e5103b176455724bb

Download Submit
memory/536-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/536-1-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/536-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/536-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/536-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/536-14-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2216-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2216-18-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads