sakula | e408146553434256c29bbf21c01eb51c925dc2b9e0cfa6c1adaa0bda9c7deb04

General

Target

NEAS.e22fd557446fc4db192f2a59a63b9060.exe
Size

42KB
MD5

e22fd557446fc4db192f2a59a63b9060
SHA1

5d4284f1c17c4b8641314d8ff7168bf9e2def1de
SHA256

e408146553434256c29bbf21c01eb51c925dc2b9e0cfa6c1adaa0bda9c7deb04
SHA512

7259157ea442911f23c27cc1f9141fbfab70877516a8eb108debb61de01efc53b2ef26104761782ddcb47ba29bf660b1f0a312eba284bf23fc6dbed4ff2c8c83
SSDEEP

768:KhSksandb4GgyMsp4hyYtoVxYGm1oUt1vnhB+G:KTsGpehyYtkYvyUFsG

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://vpn.premrera.com:443/photo/%s.jpg?id=%d

http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://173.254.226.212:443/photo/%s.jpg?id=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2948 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2816 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2416 cmd.exe
2416 cmd.exe

pid	process
2948	cmd.exe

pid	process
2816	MediaCenter.exe

pid	process
2416	cmd.exe
2416	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2700 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2708 PING.EXE

pid	process
2700	reg.exe

pid	process
2708	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

NEAS.e22fd557446fc4db192f2a59a63b9060.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2120 wrote to memory of 1408	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 1408	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 1408	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 1408	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2416	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2416	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2416	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2416	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2948	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2948	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2948	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 2120 wrote to memory of 2948	2120	NEAS.e22fd557446fc4db192f2a59a63b9060.exe	cmd.exe
PID 1408 wrote to memory of 2700	1408	cmd.exe	reg.exe
PID 1408 wrote to memory of 2700	1408	cmd.exe	reg.exe
PID 1408 wrote to memory of 2700	1408	cmd.exe	reg.exe
PID 1408 wrote to memory of 2700	1408	cmd.exe	reg.exe
PID 2948 wrote to memory of 2708	2948	cmd.exe	PING.EXE
PID 2948 wrote to memory of 2708	2948	cmd.exe	PING.EXE
PID 2948 wrote to memory of 2708	2948	cmd.exe	PING.EXE
PID 2948 wrote to memory of 2708	2948	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2816	2416	cmd.exe	MediaCenter.exe
PID 2416 wrote to memory of 2816	2416	cmd.exe	MediaCenter.exe
PID 2416 wrote to memory of 2816	2416	cmd.exe	MediaCenter.exe
PID 2416 wrote to memory of 2816	2416	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.e22fd557446fc4db192f2a59a63b9060.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e22fd557446fc4db192f2a59a63b9060.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.e22fd557446fc4db192f2a59a63b9060.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
d611df23c296b68917f1e1067a194ac5

SHA1
5e100ce5d1d02cda2c1c6ce3c79f97a56f627f23

SHA256
563147df85be93311310671bcd430eff78b60d0d0bf1ada1fcb429f5f7806449

SHA512
34fa86f4f895c9cbdea6133cdbb836b5576dda8b0811db2340b0c8ba5d42c2765ad7626423f7b5ab9dca0c5a541e5d349ccb2ce33cf50a4ccdd6308063550666

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
d611df23c296b68917f1e1067a194ac5

SHA1
5e100ce5d1d02cda2c1c6ce3c79f97a56f627f23

SHA256
563147df85be93311310671bcd430eff78b60d0d0bf1ada1fcb429f5f7806449

SHA512
34fa86f4f895c9cbdea6133cdbb836b5576dda8b0811db2340b0c8ba5d42c2765ad7626423f7b5ab9dca0c5a541e5d349ccb2ce33cf50a4ccdd6308063550666

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
d611df23c296b68917f1e1067a194ac5

SHA1
5e100ce5d1d02cda2c1c6ce3c79f97a56f627f23

SHA256
563147df85be93311310671bcd430eff78b60d0d0bf1ada1fcb429f5f7806449

SHA512
34fa86f4f895c9cbdea6133cdbb836b5576dda8b0811db2340b0c8ba5d42c2765ad7626423f7b5ab9dca0c5a541e5d349ccb2ce33cf50a4ccdd6308063550666

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
42KB

MD5
d611df23c296b68917f1e1067a194ac5

SHA1
5e100ce5d1d02cda2c1c6ce3c79f97a56f627f23

SHA256
563147df85be93311310671bcd430eff78b60d0d0bf1ada1fcb429f5f7806449

SHA512
34fa86f4f895c9cbdea6133cdbb836b5576dda8b0811db2340b0c8ba5d42c2765ad7626423f7b5ab9dca0c5a541e5d349ccb2ce33cf50a4ccdd6308063550666

Download Submit
memory/2120-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2120-1-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2120-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads