sakula | 19a49ff73475d5791e5321ed0e97c27506a29f42f7aaddd046b4f2803d6c966a

General

Target

NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
Size

39KB
MD5

76742b2efc5720b65781c32e1d46c2b0
SHA1

b3eb4fb62baabae404cfaa20cbaafc3d0b9653d4
SHA256

19a49ff73475d5791e5321ed0e97c27506a29f42f7aaddd046b4f2803d6c966a
SHA512

71639a732333e73d998a474c5d1882c1c207871a6878b43c2399ed890a25ba50ec8f90ad8e5bb7c167ed1e71b05d0a27fe2cd3680805518a9e481dc7f8af96c1
SSDEEP

384:Em7SCFozc/T94Umdjpxq4TqvhyY3Q6oVxYiOws0me86g7trW540hd76QLdAeMvVt:n7Xezc/T6Zp14hyYtoVxYIY370YjVt

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4452 MediaCenter.exe

pid	process
4452	MediaCenter.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3560-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/3560-2-0x0000000000400000-0x000000000040C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/4452-6-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3236 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4000 PING.EXE

pid	process
3236	reg.exe

pid	process
4000	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NEAS.76742b2efc5720b65781c32e1d46c2b0.execmd.execmd.exe

description	pid	process	target process
PID 3560 wrote to memory of 3404	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 3560 wrote to memory of 3404	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 3560 wrote to memory of 3404	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 3560 wrote to memory of 4452	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	MediaCenter.exe
PID 3560 wrote to memory of 4452	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	MediaCenter.exe
PID 3560 wrote to memory of 4452	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	MediaCenter.exe
PID 3404 wrote to memory of 3236	3404	cmd.exe	reg.exe
PID 3404 wrote to memory of 3236	3404	cmd.exe	reg.exe
PID 3404 wrote to memory of 3236	3404	cmd.exe	reg.exe
PID 3560 wrote to memory of 548	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 3560 wrote to memory of 548	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 3560 wrote to memory of 548	3560	NEAS.76742b2efc5720b65781c32e1d46c2b0.exe	cmd.exe
PID 548 wrote to memory of 4000	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 4000	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 4000	548	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3236

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
7bf7e9e9f9c48641e5fd5991ea48e1a4

SHA1
de41ff03059aeb5ce5f578b658028627595cec66

SHA256
a0651e33f6eb99103efc3794e2d92f225d617c4cab43c5978480d9c5bc874500

SHA512
744004526801aec05e6ff6d9a8b0f3fcf1b5360fc3cd0d2c2abea1918bdb24847095948ab85f3d1166cc01ef24b1e96782f4773b8eefc47fce6682345c788d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
39KB

MD5
7bf7e9e9f9c48641e5fd5991ea48e1a4

SHA1
de41ff03059aeb5ce5f578b658028627595cec66

SHA256
a0651e33f6eb99103efc3794e2d92f225d617c4cab43c5978480d9c5bc874500

SHA512
744004526801aec05e6ff6d9a8b0f3fcf1b5360fc3cd0d2c2abea1918bdb24847095948ab85f3d1166cc01ef24b1e96782f4773b8eefc47fce6682345c788d59

Download Submit
memory/3560-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3560-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4452-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads