sakula | 2cca320792270200228141c046006de65a23d2d75ae736216d27d7b1f6161b6a

General

Target

6d8032357e664749d95c74c3cc618231.exe
Size

3.6MB
MD5

6d8032357e664749d95c74c3cc618231
SHA1

ea0f06dc70bd88554e2231d8a9e8545e40dc4df1
SHA256

2cca320792270200228141c046006de65a23d2d75ae736216d27d7b1f6161b6a
SHA512

4eed9e97c4e9e5cca3c71fce9bbb0880e9c9fa36b8db9e55f95bdab7a536b8e410bd223e5723d5ae54e6850ec896fcd1977911f7edf74c6288d3a0f01d45abac
SSDEEP

49152:o852ZjeUNZZH46HsnHVT5ZA+acdD6xXTIN:oU6eUNZZJHsHr

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2720 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1296 MediaCenter.exe
Loads dropped DLL 1 IoCs

Processes:

6d8032357e664749d95c74c3cc618231.exe

pid process

2064 6d8032357e664749d95c74c3cc618231.exe

pid	process
2720	cmd.exe

pid	process
1296	MediaCenter.exe

pid	process
2064	6d8032357e664749d95c74c3cc618231.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6d8032357e664749d95c74c3cc618231.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	6d8032357e664749d95c74c3cc618231.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3004 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6d8032357e664749d95c74c3cc618231.exe

description pid process

Token: SeIncBasePriorityPrivilege 2064 6d8032357e664749d95c74c3cc618231.exe

pid	process
3004	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2064	6d8032357e664749d95c74c3cc618231.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6d8032357e664749d95c74c3cc618231.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 1296	2064	6d8032357e664749d95c74c3cc618231.exe	MediaCenter.exe
PID 2064 wrote to memory of 1296	2064	6d8032357e664749d95c74c3cc618231.exe	MediaCenter.exe
PID 2064 wrote to memory of 1296	2064	6d8032357e664749d95c74c3cc618231.exe	MediaCenter.exe
PID 2064 wrote to memory of 1296	2064	6d8032357e664749d95c74c3cc618231.exe	MediaCenter.exe
PID 2064 wrote to memory of 2720	2064	6d8032357e664749d95c74c3cc618231.exe	cmd.exe
PID 2064 wrote to memory of 2720	2064	6d8032357e664749d95c74c3cc618231.exe	cmd.exe
PID 2064 wrote to memory of 2720	2064	6d8032357e664749d95c74c3cc618231.exe	cmd.exe
PID 2064 wrote to memory of 2720	2064	6d8032357e664749d95c74c3cc618231.exe	cmd.exe
PID 2720 wrote to memory of 3004	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 3004	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 3004	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 3004	2720	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6d8032357e664749d95c74c3cc618231.exe
"C:\Users\Admin\AppData\Local\Temp\6d8032357e664749d95c74c3cc618231.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\6d8032357e664749d95c74c3cc618231.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab66B1.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
2.5MB

MD5
507118015499b7d5e5fe41ce2544aff2

SHA1
51b023ecaad050c69e5e04660129b120305d8e03

SHA256
fc0b5f80ea554ee40a12674d15e4893f43ae0989d7392a4c6bab3ffd861ae597

SHA512
ca2efb4d7f46d008f9fe0ea6e55baf4d4db77134d81c96e55723371f170f433670f866fee20fe460a00a9fd586e3238446b6e43de46da40caec0493e94512109

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar66C4.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
3.2MB

MD5
592a57ca56739b7365aa9e3a794c0231

SHA1
909a25390b931a911094e60541af2dc1151da6f9

SHA256
42d6abd78d9bdd6f8219c501cb433b6bd2e3888edc61e99cac2734730685babd

SHA512
64c78a79d23b166a19aec3959b4068f9951aa8ecd9b8f02f4c80109c4cc32c44b64315bb2d27d791f4a62b66ed1f05deb8bed3705bdb554ba1ef0092b3237652

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads