sakula | 26be8a8d061e3681dca81b85fe8421e2dcf114fb74f1c4963d75686e16be846e

General

Target

NEAS.fa6f2a81cfe58c75464b718232600590.exe
Size

37KB
MD5

fa6f2a81cfe58c75464b718232600590
SHA1

76593acd52de4f0e82afffaa801d710f5582b22a
SHA256

26be8a8d061e3681dca81b85fe8421e2dcf114fb74f1c4963d75686e16be846e
SHA512

90f7e9f6f04dbaf8112a33caeedc55ca3c87f7c76042ad484b26be2c6a3813e95c3cc5d783ee01625e15234356001e168acd0e9412db45456da9c3ad212da4bc
SSDEEP

768:D7Xezc/T6Zp14hyYtoVxYF9mH8VQ1PcPW/M9zJ:n6zqhyYtkYWRPTEzJ

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2504 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2552 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.fa6f2a81cfe58c75464b718232600590.exe

pid process

2168 NEAS.fa6f2a81cfe58c75464b718232600590.exe
2168 NEAS.fa6f2a81cfe58c75464b718232600590.exe

pid	process
2504	cmd.exe

pid	process
2552	MediaCenter.exe

pid	process
2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe
2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2676 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2932 PING.EXE

pid	process
2676	reg.exe

pid	process
2932	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.fa6f2a81cfe58c75464b718232600590.execmd.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 2644	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2168 wrote to memory of 2644	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2168 wrote to memory of 2644	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2168 wrote to memory of 2644	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2168 wrote to memory of 2552	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	MediaCenter.exe
PID 2168 wrote to memory of 2552	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	MediaCenter.exe
PID 2168 wrote to memory of 2552	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	MediaCenter.exe
PID 2168 wrote to memory of 2552	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	MediaCenter.exe
PID 2644 wrote to memory of 2676	2644	cmd.exe	reg.exe
PID 2644 wrote to memory of 2676	2644	cmd.exe	reg.exe
PID 2644 wrote to memory of 2676	2644	cmd.exe	reg.exe
PID 2644 wrote to memory of 2676	2644	cmd.exe	reg.exe
PID 2168 wrote to memory of 2504	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 2504 wrote to memory of 2932	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2932	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2932	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2932	2504	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.fa6f2a81cfe58c75464b718232600590.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fa6f2a81cfe58c75464b718232600590.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2676

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.fa6f2a81cfe58c75464b718232600590.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
2bf4f0bf8e7a25c5d88085d0137ac08c

SHA1
eab7ceb7f41251c47759270d2b422e428e5ee061

SHA256
9df7b8975debf4401e0267bfb2d56d0228a09eb3498396f092aa3802d9bc37c3

SHA512
8df9c205c0550835e5bea4ed6359c231a59e2387fd9e0b6f3249a1eac3c38f9ad19a11b0ee90125a310ef4e53dc3f6714d013e7c500a116b89b2180105bb307a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
2bf4f0bf8e7a25c5d88085d0137ac08c

SHA1
eab7ceb7f41251c47759270d2b422e428e5ee061

SHA256
9df7b8975debf4401e0267bfb2d56d0228a09eb3498396f092aa3802d9bc37c3

SHA512
8df9c205c0550835e5bea4ed6359c231a59e2387fd9e0b6f3249a1eac3c38f9ad19a11b0ee90125a310ef4e53dc3f6714d013e7c500a116b89b2180105bb307a

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
2bf4f0bf8e7a25c5d88085d0137ac08c

SHA1
eab7ceb7f41251c47759270d2b422e428e5ee061

SHA256
9df7b8975debf4401e0267bfb2d56d0228a09eb3498396f092aa3802d9bc37c3

SHA512
8df9c205c0550835e5bea4ed6359c231a59e2387fd9e0b6f3249a1eac3c38f9ad19a11b0ee90125a310ef4e53dc3f6714d013e7c500a116b89b2180105bb307a

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
2bf4f0bf8e7a25c5d88085d0137ac08c

SHA1
eab7ceb7f41251c47759270d2b422e428e5ee061

SHA256
9df7b8975debf4401e0267bfb2d56d0228a09eb3498396f092aa3802d9bc37c3

SHA512
8df9c205c0550835e5bea4ed6359c231a59e2387fd9e0b6f3249a1eac3c38f9ad19a11b0ee90125a310ef4e53dc3f6714d013e7c500a116b89b2180105bb307a

Download Submit
memory/2168-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2552-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads