sakula | 4abf740c48f45def0f1edb3e436d6ffba7ed2365f2dabec48a45d00e96b86c6a

General

Target

859688c36fe52eea9dc010b3d8f95434.exe
Size

4.0MB
MD5

859688c36fe52eea9dc010b3d8f95434
SHA1

8a4f9775b367b95a4dcb5a8167b3e11ce35cc771
SHA256

4abf740c48f45def0f1edb3e436d6ffba7ed2365f2dabec48a45d00e96b86c6a
SHA512

4b536dfe5b2aad71a21c310d6dc719d1d84f244fe053fbf40a24d38023fd0682ab04596b746e1fae2025c868c6ea4a11a62c92f8781777abe96f795c9123d9d0
SSDEEP

24576:DF9mrnE2Z1y/6oTNBZrBEu8C7jnIQCwRO/wTGS5DBMY2:DD2Z1qT3Zz888QCwRO/wT/aY2

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3048 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2152 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

859688c36fe52eea9dc010b3d8f95434.exe

pid process

2848 859688c36fe52eea9dc010b3d8f95434.exe
2848 859688c36fe52eea9dc010b3d8f95434.exe

pid	process
3048	cmd.exe

pid	process
2152	MediaCenter.exe

pid	process
2848	859688c36fe52eea9dc010b3d8f95434.exe
2848	859688c36fe52eea9dc010b3d8f95434.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

859688c36fe52eea9dc010b3d8f95434.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	859688c36fe52eea9dc010b3d8f95434.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

784 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

859688c36fe52eea9dc010b3d8f95434.exe

description pid process

Token: SeIncBasePriorityPrivilege 2848 859688c36fe52eea9dc010b3d8f95434.exe

pid	process
784	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2848	859688c36fe52eea9dc010b3d8f95434.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

859688c36fe52eea9dc010b3d8f95434.execmd.exe

description	pid	process	target process
PID 2848 wrote to memory of 2152	2848	859688c36fe52eea9dc010b3d8f95434.exe	MediaCenter.exe
PID 2848 wrote to memory of 2152	2848	859688c36fe52eea9dc010b3d8f95434.exe	MediaCenter.exe
PID 2848 wrote to memory of 2152	2848	859688c36fe52eea9dc010b3d8f95434.exe	MediaCenter.exe
PID 2848 wrote to memory of 2152	2848	859688c36fe52eea9dc010b3d8f95434.exe	MediaCenter.exe
PID 2848 wrote to memory of 3048	2848	859688c36fe52eea9dc010b3d8f95434.exe	cmd.exe
PID 2848 wrote to memory of 3048	2848	859688c36fe52eea9dc010b3d8f95434.exe	cmd.exe
PID 2848 wrote to memory of 3048	2848	859688c36fe52eea9dc010b3d8f95434.exe	cmd.exe
PID 2848 wrote to memory of 3048	2848	859688c36fe52eea9dc010b3d8f95434.exe	cmd.exe
PID 3048 wrote to memory of 784	3048	cmd.exe	PING.EXE
PID 3048 wrote to memory of 784	3048	cmd.exe	PING.EXE
PID 3048 wrote to memory of 784	3048	cmd.exe	PING.EXE
PID 3048 wrote to memory of 784	3048	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\859688c36fe52eea9dc010b3d8f95434.exe
"C:\Users\Admin\AppData\Local\Temp\859688c36fe52eea9dc010b3d8f95434.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\859688c36fe52eea9dc010b3d8f95434.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
1.5MB

MD5
a9802456afa440c9bfb6452d6f47ab0b

SHA1
e239af860a26dae63019b431fe68c57637d27543

SHA256
6ebde7bac825b1c68bcf02855872bd7d2be6a5890d7374634caedebd6b152dcc

SHA512
253883c97295bb436b49ec548f5a5ef86384d9603b21f2152ed24ce1029ec2ffbe0c2a951869ecce268d8e765baa3be0164b3538c36fcb50fd9c2a7ad0a6d16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
2.1MB

MD5
3990af403f78045d59275dbeb9b3d483

SHA1
2024a295eb6735d6351c92d4135c69d98bba5fc4

SHA256
5bc50118d432d1caaa20f4d7b0b36d3d542367cad05a9bf155382b920622d38b

SHA512
7415dd6b1442bdd5d56c04a324230a7e3734d5d82fc0427bbbc3464ee5d59bd9c3dd75b758e9ce3abe7c33749add1208e7812024c03dac0b314eec24b404143d

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
3.3MB

MD5
503abe178c9bac3bdae51624b4719f69

SHA1
b7bb61bfbb8ec8da36fb5408e0e1e28b607568ba

SHA256
ee4067e3b8a4cc36badcf76cedbce36041d420319042e7dbf10c6423dfa1442f

SHA512
8634dd0da0cd3639d0843cd5dff4e76f047e6d6e251fc5b1f720f7d107fe608fbb22c1deeb1603b8219fc336e8e63586aa67ea3a1b5351b44815653e1d5479b1

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
1.3MB

MD5
ac3fc5810827c43ae51e4dded9ec7e12

SHA1
f6313a66e36837bd82cbf98b7633481b92143bdb

SHA256
77ebe2f89b29de547d2ac88702f5fd697a5f8f67dcc9bb45b1097529d4b82f4c

SHA512
c08670ab04f5ce5767071cd19a7e0eaae1479d30834d9ad984c5361f07492db43c9c5b8669629610380e8cff2e3a1658f5889bbabb0afbc6457d49ea17059a5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads