sakula | c97c0b8f5f75d8848f9d30c0e6f95fde19919d20828102b3f53b7b78cbda6175

General

Target

NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe
Size

39KB
MD5

7a96fba9dd3d86763a0cbb34e5971120
SHA1

c2197d11f3a83e923eb7fe6f81a3e3663f414a14
SHA256

c97c0b8f5f75d8848f9d30c0e6f95fde19919d20828102b3f53b7b78cbda6175
SHA512

9629ab35530df1e67a88d26028b79a774da81f59612a1a82e7e672798f53ce357f3fcb8e6a798c5de781da1a4d77a89e4f0bae749528904d707970e54bd3880e
SSDEEP

384:km7SCFozc/T94Umdjpxq4TqvhyY3Q6oVxYlOws0me86g7trW54Uu6Ot2xLdAeMvC:H7Xezc/T6Zp14hyYtoVxYBY37054V4

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2540 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3060 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe

pid process

2568 NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe
2568 NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe

pid	process
2540	cmd.exe

pid	process
3060	MediaCenter.exe

pid	process
2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe
2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2568-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2568-1-0x0000000000400000-0x000000000040C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/2568-11-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

856 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2532 PING.EXE

pid	process
856	reg.exe

pid	process
2532	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.7a96fba9dd3d86763a0cbb34e5971120.execmd.execmd.exe

description	pid	process	target process
PID 2568 wrote to memory of 1588	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2568 wrote to memory of 1588	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2568 wrote to memory of 1588	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2568 wrote to memory of 1588	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2568 wrote to memory of 3060	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	MediaCenter.exe
PID 2568 wrote to memory of 3060	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	MediaCenter.exe
PID 2568 wrote to memory of 3060	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	MediaCenter.exe
PID 2568 wrote to memory of 3060	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	MediaCenter.exe
PID 1588 wrote to memory of 856	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 856	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 856	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 856	1588	cmd.exe	reg.exe
PID 2568 wrote to memory of 2540	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2568 wrote to memory of 2540	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2568 wrote to memory of 2540	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2568 wrote to memory of 2540	2568	NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe	cmd.exe
PID 2540 wrote to memory of 2532	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 2532	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 2532	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 2532	2540	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:856

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.7a96fba9dd3d86763a0cbb34e5971120.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
3af67874b45e228d81d2d99e3eaa819f

SHA1
480ef3ac9a50aac33f78f7dcc9441e913173c789

SHA256
f8d27b21126015ac6dc8fb72cad3fcf402b253addc1b84848c99b6115905e06e

SHA512
52d54c4b4a1dc41b08510d86a9aa8f8e57d473ff550c6f397d0da79e930705fe839039dac24367aff383e931cc44a506d358b2988342cd4e84839a8daf3103f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
3af67874b45e228d81d2d99e3eaa819f

SHA1
480ef3ac9a50aac33f78f7dcc9441e913173c789

SHA256
f8d27b21126015ac6dc8fb72cad3fcf402b253addc1b84848c99b6115905e06e

SHA512
52d54c4b4a1dc41b08510d86a9aa8f8e57d473ff550c6f397d0da79e930705fe839039dac24367aff383e931cc44a506d358b2988342cd4e84839a8daf3103f6

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
3af67874b45e228d81d2d99e3eaa819f

SHA1
480ef3ac9a50aac33f78f7dcc9441e913173c789

SHA256
f8d27b21126015ac6dc8fb72cad3fcf402b253addc1b84848c99b6115905e06e

SHA512
52d54c4b4a1dc41b08510d86a9aa8f8e57d473ff550c6f397d0da79e930705fe839039dac24367aff383e931cc44a506d358b2988342cd4e84839a8daf3103f6

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
3af67874b45e228d81d2d99e3eaa819f

SHA1
480ef3ac9a50aac33f78f7dcc9441e913173c789

SHA256
f8d27b21126015ac6dc8fb72cad3fcf402b253addc1b84848c99b6115905e06e

SHA512
52d54c4b4a1dc41b08510d86a9aa8f8e57d473ff550c6f397d0da79e930705fe839039dac24367aff383e931cc44a506d358b2988342cd4e84839a8daf3103f6

Download Submit
memory/2568-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-5-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/2568-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads