sakula | 19a49ff73475d5791e5321ed0e97c27506a29f42f7aaddd046b4f2803d6c966a

General

Target

NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
Size

39KB
MD5

76742b2efc5720b65781c32e1d46c2b0
SHA1

b3eb4fb62baabae404cfaa20cbaafc3d0b9653d4
SHA256

19a49ff73475d5791e5321ed0e97c27506a29f42f7aaddd046b4f2803d6c966a
SHA512

71639a732333e73d998a474c5d1882c1c207871a6878b43c2399ed890a25ba50ec8f90ad8e5bb7c167ed1e71b05d0a27fe2cd3680805518a9e481dc7f8af96c1
SSDEEP

384:Em7SCFozc/T94Umdjpxq4TqvhyY3Q6oVxYiOws0me86g7trW540hd76QLdAeMvVt:n7Xezc/T6Zp14hyYtoVxYIY370YjVt

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1612 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

912 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.76742b2efc5720b65781c32e1d46c2b0.exe

pid process

2788 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
2788 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe

pid	process
1612	cmd.exe

pid	process
912	MediaCenter.exe

pid	process
2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2788-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2788-2-0x0000000000400000-0x000000000040C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/912-14-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2928 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

584 PING.EXE

pid	process
2928	reg.exe

pid	process
584	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.76742b2efc5720b65781c32e1d46c2b0.execmd.execmd.exe

description	pid	process	target process
PID 2788 wrote to memory of 2648	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 2788 wrote to memory of 2648	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 2788 wrote to memory of 2648	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 2788 wrote to memory of 2648	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 2788 wrote to memory of 912	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	MediaCenter.exe
PID 2788 wrote to memory of 912	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	MediaCenter.exe
PID 2788 wrote to memory of 912	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	MediaCenter.exe
PID 2788 wrote to memory of 912	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	MediaCenter.exe
PID 2648 wrote to memory of 2928	2648	cmd.exe	reg.exe
PID 2648 wrote to memory of 2928	2648	cmd.exe	reg.exe
PID 2648 wrote to memory of 2928	2648	cmd.exe	reg.exe
PID 2648 wrote to memory of 2928	2648	cmd.exe	reg.exe
PID 2788 wrote to memory of 1612	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 2788 wrote to memory of 1612	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 2788 wrote to memory of 1612	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 2788 wrote to memory of 1612	2788	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 1612 wrote to memory of 584	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 584	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 584	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 584	1612	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2928

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
089594fdaf8c0b5d80c2d0946d1ccd22

SHA1
370f26fa21ccb578c122262b7b5899ad731e3093

SHA256
7055509b2299cf9c86d37e0e1f2b4c8e8758480cfcaf7e808d9f54e107fe608b

SHA512
53fc1953f59703e15042dc7282646ca0cbf4327f0b5fbc6ff8b1834f9044e741aeb1bc765c87a402e74382183ac5e568512f547982aa0e224c1250da84ce349e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
089594fdaf8c0b5d80c2d0946d1ccd22

SHA1
370f26fa21ccb578c122262b7b5899ad731e3093

SHA256
7055509b2299cf9c86d37e0e1f2b4c8e8758480cfcaf7e808d9f54e107fe608b

SHA512
53fc1953f59703e15042dc7282646ca0cbf4327f0b5fbc6ff8b1834f9044e741aeb1bc765c87a402e74382183ac5e568512f547982aa0e224c1250da84ce349e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
089594fdaf8c0b5d80c2d0946d1ccd22

SHA1
370f26fa21ccb578c122262b7b5899ad731e3093

SHA256
7055509b2299cf9c86d37e0e1f2b4c8e8758480cfcaf7e808d9f54e107fe608b

SHA512
53fc1953f59703e15042dc7282646ca0cbf4327f0b5fbc6ff8b1834f9044e741aeb1bc765c87a402e74382183ac5e568512f547982aa0e224c1250da84ce349e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
089594fdaf8c0b5d80c2d0946d1ccd22

SHA1
370f26fa21ccb578c122262b7b5899ad731e3093

SHA256
7055509b2299cf9c86d37e0e1f2b4c8e8758480cfcaf7e808d9f54e107fe608b

SHA512
53fc1953f59703e15042dc7282646ca0cbf4327f0b5fbc6ff8b1834f9044e741aeb1bc765c87a402e74382183ac5e568512f547982aa0e224c1250da84ce349e

Download Submit
memory/912-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2788-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2788-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2788-10-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/2788-11-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/2788-12-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/2788-13-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads