sakula | 2806314b9ed9d7b909c866ed8dfe0cd745e5f0d0be520c3265383782ad0b67bb

General

Target

NEAS.0f4523660b7d8c30dd68c3b765140730.exe
Size

72KB
MD5

0f4523660b7d8c30dd68c3b765140730
SHA1

dd96c744fd1546c23b695e982ea11222cc5cf9b6
SHA256

2806314b9ed9d7b909c866ed8dfe0cd745e5f0d0be520c3265383782ad0b67bb
SHA512

b2de1c0f5449407f5944b863dae79d4d305f39d1b86dbef430f27dc04cf2e710ac2391b38792e3a6050e818fdc4e3221048233f2db2f014bbc01bbbc87bcec30
SSDEEP

768:q7Xezc/T6Zp14hyYtoVxYF9mHfCBJTAIO3OtYVW6QptwyG:G6zqhyYtkYW/CPnO3ajwyG

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2556 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.0f4523660b7d8c30dd68c3b765140730.exe

pid process

2720 NEAS.0f4523660b7d8c30dd68c3b765140730.exe
2720 NEAS.0f4523660b7d8c30dd68c3b765140730.exe

pid	process
2556	MediaCenter.exe

pid	process
2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe
2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1944 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1660 PING.EXE

pid	process
1944	reg.exe

pid	process
1660	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.0f4523660b7d8c30dd68c3b765140730.execmd.execmd.exe

description	pid	process	target process
PID 2720 wrote to memory of 2704	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2720 wrote to memory of 2704	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2720 wrote to memory of 2704	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2720 wrote to memory of 2704	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2720 wrote to memory of 2556	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	MediaCenter.exe
PID 2720 wrote to memory of 2556	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	MediaCenter.exe
PID 2720 wrote to memory of 2556	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	MediaCenter.exe
PID 2720 wrote to memory of 2556	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	MediaCenter.exe
PID 2704 wrote to memory of 1944	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1944	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1944	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1944	2704	cmd.exe	reg.exe
PID 2720 wrote to memory of 2148	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2720 wrote to memory of 2148	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2720 wrote to memory of 2148	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2720 wrote to memory of 2148	2720	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 2148 wrote to memory of 1660	2148	cmd.exe	PING.EXE
PID 2148 wrote to memory of 1660	2148	cmd.exe	PING.EXE
PID 2148 wrote to memory of 1660	2148	cmd.exe	PING.EXE
PID 2148 wrote to memory of 1660	2148	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.0f4523660b7d8c30dd68c3b765140730.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0f4523660b7d8c30dd68c3b765140730.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1944

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.0f4523660b7d8c30dd68c3b765140730.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
ac943f8d3dee94ca4910c37c280e33b4

SHA1
480819840405d5bf5c6ba6def254c9fe883b4ca3

SHA256
c2348712f4813a4e1c6ebcdecadb805269803f71573908e5fa7e4d2f5513c9b9

SHA512
f6ffb799ca7f7dfeb58f1e19391bd4dfd3fda218efc9120d001e60f23103bc4c08e4f4704a8c6a88661115535bee962ab7f75b932951f911d4c3f9223d2949dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
ac943f8d3dee94ca4910c37c280e33b4

SHA1
480819840405d5bf5c6ba6def254c9fe883b4ca3

SHA256
c2348712f4813a4e1c6ebcdecadb805269803f71573908e5fa7e4d2f5513c9b9

SHA512
f6ffb799ca7f7dfeb58f1e19391bd4dfd3fda218efc9120d001e60f23103bc4c08e4f4704a8c6a88661115535bee962ab7f75b932951f911d4c3f9223d2949dc

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
ac943f8d3dee94ca4910c37c280e33b4

SHA1
480819840405d5bf5c6ba6def254c9fe883b4ca3

SHA256
c2348712f4813a4e1c6ebcdecadb805269803f71573908e5fa7e4d2f5513c9b9

SHA512
f6ffb799ca7f7dfeb58f1e19391bd4dfd3fda218efc9120d001e60f23103bc4c08e4f4704a8c6a88661115535bee962ab7f75b932951f911d4c3f9223d2949dc

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
ac943f8d3dee94ca4910c37c280e33b4

SHA1
480819840405d5bf5c6ba6def254c9fe883b4ca3

SHA256
c2348712f4813a4e1c6ebcdecadb805269803f71573908e5fa7e4d2f5513c9b9

SHA512
f6ffb799ca7f7dfeb58f1e19391bd4dfd3fda218efc9120d001e60f23103bc4c08e4f4704a8c6a88661115535bee962ab7f75b932951f911d4c3f9223d2949dc

Download Submit
memory/2556-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2556-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2720-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2720-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2720-10-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2720-12-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads