sakula | 59fc9b0d6bb6a912f13dde90f409ee514a3482c0c9da0af2380daadbf54eceb6

General

Target

NEAS.1c415d918b7244f6ade68f641435df50_JC.exe
Size

212KB
MD5

1c415d918b7244f6ade68f641435df50
SHA1

db847e38e19543ab52965ded083105f1c9a5b033
SHA256

59fc9b0d6bb6a912f13dde90f409ee514a3482c0c9da0af2380daadbf54eceb6
SHA512

21749506622aa39e7f4e4ade73942db218e631259dd3a97d872820dd8e0571af012146156f58014cbd06a48bb81b1979b8215ce6ac424422b6bd989e8a667d8c
SSDEEP

1536:NtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0GanBe:A29DkEGRQixVSjLc130BYgjXjpUnBe

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2516-0-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/2516-5-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/1232-6-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/1232-7-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/2516-8-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEAS.1c415d918b7244f6ade68f641435df50_JC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1232 MediaCenter.exe

pid	process
1232	MediaCenter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2516-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/2516-5-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/1232-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1232-7-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2516-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.1c415d918b7244f6ade68f641435df50_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4992 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEAS.1c415d918b7244f6ade68f641435df50_JC.exe

description pid process

Token: SeIncBasePriorityPrivilege 2516 NEAS.1c415d918b7244f6ade68f641435df50_JC.exe

pid	process
4992	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2516	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

NEAS.1c415d918b7244f6ade68f641435df50_JC.execmd.exe

description	pid	process	target process
PID 2516 wrote to memory of 1232	2516	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe	MediaCenter.exe
PID 2516 wrote to memory of 1232	2516	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe	MediaCenter.exe
PID 2516 wrote to memory of 1232	2516	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe	MediaCenter.exe
PID 2516 wrote to memory of 4588	2516	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe	cmd.exe
PID 2516 wrote to memory of 4588	2516	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe	cmd.exe
PID 2516 wrote to memory of 4588	2516	NEAS.1c415d918b7244f6ade68f641435df50_JC.exe	cmd.exe
PID 4588 wrote to memory of 4992	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 4992	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 4992	4588	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.1c415d918b7244f6ade68f641435df50_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1c415d918b7244f6ade68f641435df50_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.1c415d918b7244f6ade68f641435df50_JC.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
4dec6d5645d5e4f4ed2bb084581d32c5

SHA1
dddc7fc2533710e0853815dc3c64b7a6851ec6eb

SHA256
8b4322ff2eca87292a0c1fb3d339a45c98af25fed8645601297f620115beaf0f

SHA512
6127a77e4a68483656715431e976badb64a8ed729fb75a02ec28ebf6ef2df35b456dfbd1dbf3bf2918ec1e53ce1be67842c109d5bb772c70efc99ce09dfd001d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
4dec6d5645d5e4f4ed2bb084581d32c5

SHA1
dddc7fc2533710e0853815dc3c64b7a6851ec6eb

SHA256
8b4322ff2eca87292a0c1fb3d339a45c98af25fed8645601297f620115beaf0f

SHA512
6127a77e4a68483656715431e976badb64a8ed729fb75a02ec28ebf6ef2df35b456dfbd1dbf3bf2918ec1e53ce1be67842c109d5bb772c70efc99ce09dfd001d

Download Submit
memory/1232-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads