sakula | 9f92741e2edb51b51e0143511cd24ba77825b4307bcb10fde6b6e0dc3f6c560e

General

Target

NEAS.7ebc035c4333830745ff919625eea0c0.exe
Size

76KB
MD5

7ebc035c4333830745ff919625eea0c0
SHA1

ba850da0349c55864ca94f273521f72c2882d8da
SHA256

9f92741e2edb51b51e0143511cd24ba77825b4307bcb10fde6b6e0dc3f6c560e
SHA512

1bdba57aedc532c87d3ab1c684f00cd2651e49b21f18add55773b625d7da61b27f575ca121793d00d3a318e870729acc8a73846aaf9a38994d500fe02da89dca
SSDEEP

768:FhSksandb4GgyMsp4hyYtoVxYGm1ZAIPsED3VK2+ZtyOjgO4r9vFAg2rqf:FTsGpehyYtkYvnbYTjipvF2i

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://vpn.premrera.com:443/photo/%s.jpg?id=%d

http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://173.254.226.212:443/photo/%s.jpg?id=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2720 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2748 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2416 cmd.exe
2416 cmd.exe

pid	process
2720	cmd.exe

pid	process
2748	MediaCenter.exe

pid	process
2416	cmd.exe
2416	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2792 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1952 PING.EXE

pid	process
2792	reg.exe

pid	process
1952	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

NEAS.7ebc035c4333830745ff919625eea0c0.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 2684	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2684	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2684	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2684	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2416	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2416	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2416	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2416	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2720	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2720	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2720	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 1696 wrote to memory of 2720	1696	NEAS.7ebc035c4333830745ff919625eea0c0.exe	cmd.exe
PID 2684 wrote to memory of 2792	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2792	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2792	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2792	2684	cmd.exe	reg.exe
PID 2416 wrote to memory of 2748	2416	cmd.exe	MediaCenter.exe
PID 2416 wrote to memory of 2748	2416	cmd.exe	MediaCenter.exe
PID 2416 wrote to memory of 2748	2416	cmd.exe	MediaCenter.exe
PID 2416 wrote to memory of 2748	2416	cmd.exe	MediaCenter.exe
PID 2720 wrote to memory of 1952	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 1952	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 1952	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 1952	2720	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.7ebc035c4333830745ff919625eea0c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7ebc035c4333830745ff919625eea0c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.7ebc035c4333830745ff919625eea0c0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
76KB

MD5
2f3aebc8422a9c3285b409e457915c99

SHA1
41e07e54e6b624620f243eb8f6fdf793eb1d7bf9

SHA256
4155d9f1294c73f5001d113242d6a97327454d269fb1f3f613fdee85753b77d3

SHA512
4e4f7f7356e36bedad6f89018e7fc30ebcf1bf0bbe67bd2cd7cf6816b10d49ee9edc839482fca829f692d50868b6dc75b5a574a1de2220a42cf3e292976bd701

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
76KB

MD5
2f3aebc8422a9c3285b409e457915c99

SHA1
41e07e54e6b624620f243eb8f6fdf793eb1d7bf9

SHA256
4155d9f1294c73f5001d113242d6a97327454d269fb1f3f613fdee85753b77d3

SHA512
4e4f7f7356e36bedad6f89018e7fc30ebcf1bf0bbe67bd2cd7cf6816b10d49ee9edc839482fca829f692d50868b6dc75b5a574a1de2220a42cf3e292976bd701

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
76KB

MD5
2f3aebc8422a9c3285b409e457915c99

SHA1
41e07e54e6b624620f243eb8f6fdf793eb1d7bf9

SHA256
4155d9f1294c73f5001d113242d6a97327454d269fb1f3f613fdee85753b77d3

SHA512
4e4f7f7356e36bedad6f89018e7fc30ebcf1bf0bbe67bd2cd7cf6816b10d49ee9edc839482fca829f692d50868b6dc75b5a574a1de2220a42cf3e292976bd701

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
76KB

MD5
2f3aebc8422a9c3285b409e457915c99

SHA1
41e07e54e6b624620f243eb8f6fdf793eb1d7bf9

SHA256
4155d9f1294c73f5001d113242d6a97327454d269fb1f3f613fdee85753b77d3

SHA512
4e4f7f7356e36bedad6f89018e7fc30ebcf1bf0bbe67bd2cd7cf6816b10d49ee9edc839482fca829f692d50868b6dc75b5a574a1de2220a42cf3e292976bd701

Download Submit
memory/1696-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1696-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1696-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2416-6-0x0000000000120000-0x000000000012C000-memory.dmp

Filesize
48KB

Download
memory/2416-8-0x0000000000120000-0x000000000012C000-memory.dmp

Filesize
48KB

Download
memory/2416-11-0x0000000000120000-0x000000000012C000-memory.dmp

Filesize
48KB

Download
memory/2416-12-0x0000000000120000-0x000000000012C000-memory.dmp

Filesize
48KB

Download
memory/2748-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads