sakula | 2806314b9ed9d7b909c866ed8dfe0cd745e5f0d0be520c3265383782ad0b67bb

General

Target

NEAS.0f4523660b7d8c30dd68c3b765140730.exe
Size

72KB
MD5

0f4523660b7d8c30dd68c3b765140730
SHA1

dd96c744fd1546c23b695e982ea11222cc5cf9b6
SHA256

2806314b9ed9d7b909c866ed8dfe0cd745e5f0d0be520c3265383782ad0b67bb
SHA512

b2de1c0f5449407f5944b863dae79d4d305f39d1b86dbef430f27dc04cf2e710ac2391b38792e3a6050e818fdc4e3221048233f2db2f014bbc01bbbc87bcec30
SSDEEP

768:q7Xezc/T6Zp14hyYtoVxYF9mHfCBJTAIO3OtYVW6QptwyG:G6zqhyYtkYW/CPnO3ajwyG

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4364 MediaCenter.exe

pid	process
4364	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1496 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3948 PING.EXE

pid	process
1496	reg.exe

pid	process
3948	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NEAS.0f4523660b7d8c30dd68c3b765140730.execmd.execmd.exe

description	pid	process	target process
PID 1292 wrote to memory of 4348	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 1292 wrote to memory of 4348	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 1292 wrote to memory of 4348	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 1292 wrote to memory of 4364	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	MediaCenter.exe
PID 1292 wrote to memory of 4364	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	MediaCenter.exe
PID 1292 wrote to memory of 4364	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	MediaCenter.exe
PID 4348 wrote to memory of 1496	4348	cmd.exe	reg.exe
PID 4348 wrote to memory of 1496	4348	cmd.exe	reg.exe
PID 4348 wrote to memory of 1496	4348	cmd.exe	reg.exe
PID 1292 wrote to memory of 1080	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 1292 wrote to memory of 1080	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 1292 wrote to memory of 1080	1292	NEAS.0f4523660b7d8c30dd68c3b765140730.exe	cmd.exe
PID 1080 wrote to memory of 3948	1080	cmd.exe	PING.EXE
PID 1080 wrote to memory of 3948	1080	cmd.exe	PING.EXE
PID 1080 wrote to memory of 3948	1080	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.0f4523660b7d8c30dd68c3b765140730.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0f4523660b7d8c30dd68c3b765140730.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1496

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.0f4523660b7d8c30dd68c3b765140730.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
3a83f27abb60fef21b46155d7446bb55

SHA1
9b185fac92444670fae3cd541f110fdfd9b7b09c

SHA256
863611e9efb824230b406aeb76d33020b37ec115b1a4f9c817327a764d9c25bd

SHA512
2774ef97caa8475be68b3469b8860f1e786e5404cd17c869cecf29f6347afcd09b30f1a58c8f47316f30895e60b2288b93898193f40c7895feefe0fc6b5e2f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
3a83f27abb60fef21b46155d7446bb55

SHA1
9b185fac92444670fae3cd541f110fdfd9b7b09c

SHA256
863611e9efb824230b406aeb76d33020b37ec115b1a4f9c817327a764d9c25bd

SHA512
2774ef97caa8475be68b3469b8860f1e786e5404cd17c869cecf29f6347afcd09b30f1a58c8f47316f30895e60b2288b93898193f40c7895feefe0fc6b5e2f58

Download Submit
memory/1292-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1292-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1292-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4364-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4364-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4364-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads