sakula | b3f1d81a5f5e79891da3e17298157d2fbb7891fe87fa74bf36dc90673895e4be

General

Target

NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe
Size

38KB
MD5

b8525a8bfe1b7d28eae8d22095d9fc20
SHA1

a47d464fe96ac008ba33cb1cb473fccc1db257b5
SHA256

b3f1d81a5f5e79891da3e17298157d2fbb7891fe87fa74bf36dc90673895e4be
SHA512

1ca200abdce7cda32e6f52276c9361daa8f30fe78e707783296d2bed54ee9fae9b1761596607265a9b5b97d4734b2b6541183f3d04880a5dd75a6698a76bbf37
SSDEEP

768:47Xezc/T6Zp14hyYtoVxYF9mH3l4ezcV0:w6zqhyYtkYWXlX9

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2820 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2848 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe

pid process

2772 NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe
2772 NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe

pid	process
2820	cmd.exe

pid	process
2848	MediaCenter.exe

pid	process
2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe
2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2944 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2712 PING.EXE

pid	process
2944	reg.exe

pid	process
2712	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.execmd.execmd.exe

description	pid	process	target process
PID 2772 wrote to memory of 2768	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2772 wrote to memory of 2768	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2772 wrote to memory of 2768	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2772 wrote to memory of 2768	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2772 wrote to memory of 2848	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	MediaCenter.exe
PID 2772 wrote to memory of 2848	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	MediaCenter.exe
PID 2772 wrote to memory of 2848	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	MediaCenter.exe
PID 2772 wrote to memory of 2848	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	MediaCenter.exe
PID 2768 wrote to memory of 2944	2768	cmd.exe	reg.exe
PID 2768 wrote to memory of 2944	2768	cmd.exe	reg.exe
PID 2768 wrote to memory of 2944	2768	cmd.exe	reg.exe
PID 2768 wrote to memory of 2944	2768	cmd.exe	reg.exe
PID 2772 wrote to memory of 2820	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2772 wrote to memory of 2820	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2772 wrote to memory of 2820	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2772 wrote to memory of 2820	2772	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 2820 wrote to memory of 2712	2820	cmd.exe	PING.EXE
PID 2820 wrote to memory of 2712	2820	cmd.exe	PING.EXE
PID 2820 wrote to memory of 2712	2820	cmd.exe	PING.EXE
PID 2820 wrote to memory of 2712	2820	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2944

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
38KB

MD5
45599e74d6970b9ac3455e66f8ae5ef2

SHA1
e50ba690c5b82c3f5b84a851682772a926e3043b

SHA256
d51db95ec6bc34bbd5d5ea473f478839431877cf52edf99c38921379756eff6a

SHA512
9fdab276d5025462a82d7ef26f892c8ac21a39c67dfd7aec9c828b2d14541d7ad6531c8d81c0c9b48f39e7de39f8677dbef74cd6bbc080577d09ba43da27ab27

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
38KB

MD5
45599e74d6970b9ac3455e66f8ae5ef2

SHA1
e50ba690c5b82c3f5b84a851682772a926e3043b

SHA256
d51db95ec6bc34bbd5d5ea473f478839431877cf52edf99c38921379756eff6a

SHA512
9fdab276d5025462a82d7ef26f892c8ac21a39c67dfd7aec9c828b2d14541d7ad6531c8d81c0c9b48f39e7de39f8677dbef74cd6bbc080577d09ba43da27ab27

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
38KB

MD5
45599e74d6970b9ac3455e66f8ae5ef2

SHA1
e50ba690c5b82c3f5b84a851682772a926e3043b

SHA256
d51db95ec6bc34bbd5d5ea473f478839431877cf52edf99c38921379756eff6a

SHA512
9fdab276d5025462a82d7ef26f892c8ac21a39c67dfd7aec9c828b2d14541d7ad6531c8d81c0c9b48f39e7de39f8677dbef74cd6bbc080577d09ba43da27ab27

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
38KB

MD5
45599e74d6970b9ac3455e66f8ae5ef2

SHA1
e50ba690c5b82c3f5b84a851682772a926e3043b

SHA256
d51db95ec6bc34bbd5d5ea473f478839431877cf52edf99c38921379756eff6a

SHA512
9fdab276d5025462a82d7ef26f892c8ac21a39c67dfd7aec9c828b2d14541d7ad6531c8d81c0c9b48f39e7de39f8677dbef74cd6bbc080577d09ba43da27ab27

Download Submit
memory/2772-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-9-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2772-11-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2772-12-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2848-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads