sakula | 26fc1f02e0b88017b99d811342a5b00753a944832fcf94b2a08b59065eeaa590

General

Target

NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe
Size

40KB
MD5

9a34b739c35e37e7bffa7e46b73a0b50
SHA1

c0d7c30c0a973a501ef3365032607828a80ae2aa
SHA256

26fc1f02e0b88017b99d811342a5b00753a944832fcf94b2a08b59065eeaa590
SHA512

dcbb30236d5c4f76f124ac41507e51d5de37773f3a5b91223f6eba62015aba0b7305cfe6d875606d3ea3e10bebe7850c7b003873e95a6c973ab65c6362625b83
SSDEEP

768:q7Xezc/T6Zp14hyYtoVxYF9mHfCBJTAIO3OtYVo:G6zqhyYtkYW/CPnO3A

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2564 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2844 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe

pid process

2152 NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe
2152 NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe

pid	process
2564	cmd.exe

pid	process
2844	MediaCenter.exe

pid	process
2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe
2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2620 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2936 PING.EXE

pid	process
2620	reg.exe

pid	process
2936	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.9a34b739c35e37e7bffa7e46b73a0b50.execmd.execmd.exe

description	pid	process	target process
PID 2152 wrote to memory of 1560	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2152 wrote to memory of 1560	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2152 wrote to memory of 1560	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2152 wrote to memory of 1560	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2152 wrote to memory of 2844	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	MediaCenter.exe
PID 2152 wrote to memory of 2844	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	MediaCenter.exe
PID 2152 wrote to memory of 2844	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	MediaCenter.exe
PID 2152 wrote to memory of 2844	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	MediaCenter.exe
PID 1560 wrote to memory of 2620	1560	cmd.exe	reg.exe
PID 1560 wrote to memory of 2620	1560	cmd.exe	reg.exe
PID 1560 wrote to memory of 2620	1560	cmd.exe	reg.exe
PID 1560 wrote to memory of 2620	1560	cmd.exe	reg.exe
PID 2152 wrote to memory of 2564	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2152 wrote to memory of 2564	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2152 wrote to memory of 2564	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2152 wrote to memory of 2564	2152	NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe	cmd.exe
PID 2564 wrote to memory of 2936	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2936	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2936	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2936	2564	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2620

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
07bba5eccde7898e95f6744ea9d5af11

SHA1
c1d8c4a5a7e14758958d2dae2a8bcc9d710457a4

SHA256
e8f7bdb132223576169254282c042848ca665ef666a28c0d78ff87a45c0cf59c

SHA512
73f9c54ec5da94bf006d196c6238636448648247e15493e762edfed43009690d658d4b73610c15a5d6f11ce2ca71e162433f8814477a0689fbbf193890ce3a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
07bba5eccde7898e95f6744ea9d5af11

SHA1
c1d8c4a5a7e14758958d2dae2a8bcc9d710457a4

SHA256
e8f7bdb132223576169254282c042848ca665ef666a28c0d78ff87a45c0cf59c

SHA512
73f9c54ec5da94bf006d196c6238636448648247e15493e762edfed43009690d658d4b73610c15a5d6f11ce2ca71e162433f8814477a0689fbbf193890ce3a89

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
07bba5eccde7898e95f6744ea9d5af11

SHA1
c1d8c4a5a7e14758958d2dae2a8bcc9d710457a4

SHA256
e8f7bdb132223576169254282c042848ca665ef666a28c0d78ff87a45c0cf59c

SHA512
73f9c54ec5da94bf006d196c6238636448648247e15493e762edfed43009690d658d4b73610c15a5d6f11ce2ca71e162433f8814477a0689fbbf193890ce3a89

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
07bba5eccde7898e95f6744ea9d5af11

SHA1
c1d8c4a5a7e14758958d2dae2a8bcc9d710457a4

SHA256
e8f7bdb132223576169254282c042848ca665ef666a28c0d78ff87a45c0cf59c

SHA512
73f9c54ec5da94bf006d196c6238636448648247e15493e762edfed43009690d658d4b73610c15a5d6f11ce2ca71e162433f8814477a0689fbbf193890ce3a89

Download Submit
memory/2152-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-5-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2152-10-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2844-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads