sakula | b8315b29efea180f7fb39bc4b553101cf9e0060d80f496d1276d38e5e7268fa1

General

Target

0e7c9a03eb6dd834ace9b57347287895.exe
Size

58KB
MD5

0e7c9a03eb6dd834ace9b57347287895
SHA1

4964c09bf7ef04922fc31ac0ec771548de0cf1ec
SHA256

b8315b29efea180f7fb39bc4b553101cf9e0060d80f496d1276d38e5e7268fa1
SHA512

8c7479da2f98e6412b431ede3c1e77e7f4a2326ffe3f45d25dd2d03dea08199dcc27be3494b7e7bdbbb622a8589341792cb18d9c0826fa340a3ebca7de5f0694
SSDEEP

1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/p:iEoIlwIguEA4c5DgA9DOyq0eFh

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4524-5-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/3496-6-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/4524-7-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/3496-12-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/4524-16-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0e7c9a03eb6dd834ace9b57347287895.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	0e7c9a03eb6dd834ace9b57347287895.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4524 MediaCenter.exe

pid	process
4524	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0e7c9a03eb6dd834ace9b57347287895.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0e7c9a03eb6dd834ace9b57347287895.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1876 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0e7c9a03eb6dd834ace9b57347287895.exe

description pid process

Token: SeIncBasePriorityPrivilege 3496 0e7c9a03eb6dd834ace9b57347287895.exe

pid	process
1876	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3496	0e7c9a03eb6dd834ace9b57347287895.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0e7c9a03eb6dd834ace9b57347287895.execmd.exe

description	pid	process	target process
PID 3496 wrote to memory of 4524	3496	0e7c9a03eb6dd834ace9b57347287895.exe	MediaCenter.exe
PID 3496 wrote to memory of 4524	3496	0e7c9a03eb6dd834ace9b57347287895.exe	MediaCenter.exe
PID 3496 wrote to memory of 4524	3496	0e7c9a03eb6dd834ace9b57347287895.exe	MediaCenter.exe
PID 3496 wrote to memory of 4372	3496	0e7c9a03eb6dd834ace9b57347287895.exe	cmd.exe
PID 3496 wrote to memory of 4372	3496	0e7c9a03eb6dd834ace9b57347287895.exe	cmd.exe
PID 3496 wrote to memory of 4372	3496	0e7c9a03eb6dd834ace9b57347287895.exe	cmd.exe
PID 4372 wrote to memory of 1876	4372	cmd.exe	PING.EXE
PID 4372 wrote to memory of 1876	4372	cmd.exe	PING.EXE
PID 4372 wrote to memory of 1876	4372	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0e7c9a03eb6dd834ace9b57347287895.exe
"C:\Users\Admin\AppData\Local\Temp\0e7c9a03eb6dd834ace9b57347287895.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e7c9a03eb6dd834ace9b57347287895.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
58KB

MD5
d4ede140c3c1bf6b203ec2b24cd76c74

SHA1
1233ab8b90c9eb94ecea1ba8a6f94c0a131dbafe

SHA256
afac31fc5438d0011755485f7eace851032096254d57d6585a3a828674e793bb

SHA512
ca6db08822fa01dad6a95f9ba6eea25f4be70ad51957bbad7b2dcf4d8ff27afcaeefd766388f7cb70d35b1ef4348abe9bf1bbe38bf66592f13793450385b9e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
44KB

MD5
8e4ab7340e4f0f613e76e8d5e8eefd78

SHA1
f33a7eb1ce1ee12f8e8980a416c7d4e35d31677f

SHA256
c751b846efe8ed016a8303273ea5c1ade77da28f6d23fe5ce96b82fdc7f0eda7

SHA512
fa05f8e727f200cac8d962b844d374b12b34cd31faa86918c52da6795c889160d7bed91e249f4ca4c467b5770c648283093458accae174f69b828faf222eec54

Download Submit
memory/3496-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3496-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3496-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4524-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4524-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4524-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads