sakula | aa52d9cdc2705ced8c9538057172056a5d771e7886db22633545a2deba23e479

General

Target

NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe
Size

40KB
MD5

b1cd4f746c4e24af485938411c8b5940
SHA1

fe1e3045c3c8100675afdc2f92b709398fa91697
SHA256

aa52d9cdc2705ced8c9538057172056a5d771e7886db22633545a2deba23e479
SHA512

a69cc7ccaf1c17b03174290c3bd0e1fe8c55c01d44bad05881ee449ad6b697fddbaee946be64133c00c12962887e1f4c51cadba0b3f4b930f6b1010221de9b75
SSDEEP

384:MnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYwwsRhg7+iXXRodY6kLdAeMo:1hSksandb4GgyMsp4hyYtoVxYdT7ZXqg

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://vpn.premrera.com:443/photo/%s.jpg?id=%d

http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://173.254.226.212:443/photo/%s.jpg?id=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2600 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2648 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

3024 cmd.exe
3024 cmd.exe

pid	process
2600	cmd.exe

pid	process
2648	MediaCenter.exe

pid	process
3024	cmd.exe
3024	cmd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2244-1-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2244-3-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/3024-7-0x0000000000400000-0x000000000040D000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2748 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2688 PING.EXE

pid	process
2748	reg.exe

pid	process
2688	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

NEAS.b1cd4f746c4e24af485938411c8b5940_JC.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2244 wrote to memory of 3056	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 3056	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 3056	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 3056	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 3024	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 3024	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 3024	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 3024	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 2600	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 2600	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 2600	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 2244 wrote to memory of 2600	2244	NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe	cmd.exe
PID 3056 wrote to memory of 2748	3056	cmd.exe	reg.exe
PID 3056 wrote to memory of 2748	3056	cmd.exe	reg.exe
PID 3056 wrote to memory of 2748	3056	cmd.exe	reg.exe
PID 3056 wrote to memory of 2748	3056	cmd.exe	reg.exe
PID 2600 wrote to memory of 2688	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2688	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2688	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2688	2600	cmd.exe	PING.EXE
PID 3024 wrote to memory of 2648	3024	cmd.exe	MediaCenter.exe
PID 3024 wrote to memory of 2648	3024	cmd.exe	MediaCenter.exe
PID 3024 wrote to memory of 2648	3024	cmd.exe	MediaCenter.exe
PID 3024 wrote to memory of 2648	3024	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.b1cd4f746c4e24af485938411c8b5940_JC.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
f3dfe6c1e5ec1a8daf312ea4026fb4a2

SHA1
a8e27fdfd5124b1aebc4a4cfd0e4ed38dcd20061

SHA256
4290f87011575ffad630401dee37e8949978aab6277bf8aa49c347ed3d407e62

SHA512
180faa11d96a93653764efe1b01da9a61ca570769a12db434df5a54f623cab05d675218f1c5c3742de8173d7e1e9902bd5e6e766ac205eb9cbf9b7f79de9bbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
f3dfe6c1e5ec1a8daf312ea4026fb4a2

SHA1
a8e27fdfd5124b1aebc4a4cfd0e4ed38dcd20061

SHA256
4290f87011575ffad630401dee37e8949978aab6277bf8aa49c347ed3d407e62

SHA512
180faa11d96a93653764efe1b01da9a61ca570769a12db434df5a54f623cab05d675218f1c5c3742de8173d7e1e9902bd5e6e766ac205eb9cbf9b7f79de9bbc8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
f3dfe6c1e5ec1a8daf312ea4026fb4a2

SHA1
a8e27fdfd5124b1aebc4a4cfd0e4ed38dcd20061

SHA256
4290f87011575ffad630401dee37e8949978aab6277bf8aa49c347ed3d407e62

SHA512
180faa11d96a93653764efe1b01da9a61ca570769a12db434df5a54f623cab05d675218f1c5c3742de8173d7e1e9902bd5e6e766ac205eb9cbf9b7f79de9bbc8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
f3dfe6c1e5ec1a8daf312ea4026fb4a2

SHA1
a8e27fdfd5124b1aebc4a4cfd0e4ed38dcd20061

SHA256
4290f87011575ffad630401dee37e8949978aab6277bf8aa49c347ed3d407e62

SHA512
180faa11d96a93653764efe1b01da9a61ca570769a12db434df5a54f623cab05d675218f1c5c3742de8173d7e1e9902bd5e6e766ac205eb9cbf9b7f79de9bbc8

Download Submit
memory/2244-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2244-1-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2244-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3024-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3024-9-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads