sakula | f3a618af1d97c0ce971b5cda4732908f5c357334f9a540ff025f8565290cc0ac

General

Target

NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe
Size

12KB
MD5

c857e28a8f6c956aa381d2b6b9e7b020
SHA1

f9ce3d2a1ea3891b235461cb96d9f7dda63d6d9d
SHA256

f3a618af1d97c0ce971b5cda4732908f5c357334f9a540ff025f8565290cc0ac
SHA512

768df386137e92d973fd345e5fdaf13122173c491ff0ab672f1744c24282ffc338563dc79d75dadb2669c22a7ac7490637ade0e726aa60262f1513041a2a965f
SSDEEP

192:+UoHtBBPR/wn3VGswB1ZztrM5gwX/wJlB5rC/42oq+vLtr9ZCspE+TMgrZMVT:Hk6g7trW54DLdAeMvVT

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2692 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1992 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe

pid process

2248 NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe
2248 NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe

pid	process
2692	cmd.exe

pid	process
1992	MediaCenter.exe

pid	process
2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe
2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2248-1-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2248-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2248-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/1992-18-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2064 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2884 PING.EXE

pid	process
2064	reg.exe

pid	process
2884	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.c857e28a8f6c956aa381d2b6b9e7b020.execmd.execmd.exe

description	pid	process	target process
PID 2248 wrote to memory of 1696	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2248 wrote to memory of 1696	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2248 wrote to memory of 1696	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2248 wrote to memory of 1696	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2248 wrote to memory of 1992	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	MediaCenter.exe
PID 2248 wrote to memory of 1992	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	MediaCenter.exe
PID 2248 wrote to memory of 1992	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	MediaCenter.exe
PID 2248 wrote to memory of 1992	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	MediaCenter.exe
PID 1696 wrote to memory of 2064	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 2064	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 2064	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 2064	1696	cmd.exe	reg.exe
PID 2248 wrote to memory of 2692	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2248 wrote to memory of 2692	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2248 wrote to memory of 2692	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2248 wrote to memory of 2692	2248	NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe	cmd.exe
PID 2692 wrote to memory of 2884	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2884	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2884	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2884	2692	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2064

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.c857e28a8f6c956aa381d2b6b9e7b020.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
12KB

MD5
ccf4a6b5e4a4b063de2d64a7a17c9a34

SHA1
2cee6105d5983abe11e19250f5c54e86b6886fed

SHA256
5c8871252211fd051fae4d1aa7149afeb71648562e9b5a70efed2e3c6d801d59

SHA512
3e6091efda5a2a7970afb7fb68acf3518ce77f4fc540e03788c4e8d091a5269f7c11ee8cdd77d412fa72f582d60824174a4ba6815da0c10b71c08eefaedb04c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
12KB

MD5
ccf4a6b5e4a4b063de2d64a7a17c9a34

SHA1
2cee6105d5983abe11e19250f5c54e86b6886fed

SHA256
5c8871252211fd051fae4d1aa7149afeb71648562e9b5a70efed2e3c6d801d59

SHA512
3e6091efda5a2a7970afb7fb68acf3518ce77f4fc540e03788c4e8d091a5269f7c11ee8cdd77d412fa72f582d60824174a4ba6815da0c10b71c08eefaedb04c2

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
12KB

MD5
ccf4a6b5e4a4b063de2d64a7a17c9a34

SHA1
2cee6105d5983abe11e19250f5c54e86b6886fed

SHA256
5c8871252211fd051fae4d1aa7149afeb71648562e9b5a70efed2e3c6d801d59

SHA512
3e6091efda5a2a7970afb7fb68acf3518ce77f4fc540e03788c4e8d091a5269f7c11ee8cdd77d412fa72f582d60824174a4ba6815da0c10b71c08eefaedb04c2

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
12KB

MD5
ccf4a6b5e4a4b063de2d64a7a17c9a34

SHA1
2cee6105d5983abe11e19250f5c54e86b6886fed

SHA256
5c8871252211fd051fae4d1aa7149afeb71648562e9b5a70efed2e3c6d801d59

SHA512
3e6091efda5a2a7970afb7fb68acf3518ce77f4fc540e03788c4e8d091a5269f7c11ee8cdd77d412fa72f582d60824174a4ba6815da0c10b71c08eefaedb04c2

Download Submit
memory/1992-18-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2248-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2248-1-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2248-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2248-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2248-7-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2248-12-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2248-14-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads