sakula | d478e209178aa7b10018e4b0307e48566f1851b9934e13387516f39fe179b9ab

General

Target

b22159318412b6e0ed004b2bb69d57bb.exe
Size

4.5MB
MD5

b22159318412b6e0ed004b2bb69d57bb
SHA1

48f2b5265b83a71541e4a0cb23c796a81dc11856
SHA256

d478e209178aa7b10018e4b0307e48566f1851b9934e13387516f39fe179b9ab
SHA512

6193ab544bf773da09741d604133590c2964b2bb27ff2b612a5934b0010fa3dd658a64231ee3e986ae96b9246b58fa9ba71d75bd99d592b9126a1427bbcfac66
SSDEEP

24576:0+9mrnE2Zjll/6b8h3UZrgEu8CkBW+M3nXvIMfhlG144EE/f5DBMY1:0Y2ZjlkWEZw8Jk+EXvIMfP4FRaY1

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2384 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2212 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

b22159318412b6e0ed004b2bb69d57bb.exe

pid process

3060 b22159318412b6e0ed004b2bb69d57bb.exe
3060 b22159318412b6e0ed004b2bb69d57bb.exe

pid	process
2384	cmd.exe

pid	process
2212	MediaCenter.exe

pid	process
3060	b22159318412b6e0ed004b2bb69d57bb.exe
3060	b22159318412b6e0ed004b2bb69d57bb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b22159318412b6e0ed004b2bb69d57bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	b22159318412b6e0ed004b2bb69d57bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

616 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b22159318412b6e0ed004b2bb69d57bb.exe

description pid process

Token: SeIncBasePriorityPrivilege 3060 b22159318412b6e0ed004b2bb69d57bb.exe

pid	process
616	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3060	b22159318412b6e0ed004b2bb69d57bb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b22159318412b6e0ed004b2bb69d57bb.execmd.exe

description	pid	process	target process
PID 3060 wrote to memory of 2212	3060	b22159318412b6e0ed004b2bb69d57bb.exe	MediaCenter.exe
PID 3060 wrote to memory of 2212	3060	b22159318412b6e0ed004b2bb69d57bb.exe	MediaCenter.exe
PID 3060 wrote to memory of 2212	3060	b22159318412b6e0ed004b2bb69d57bb.exe	MediaCenter.exe
PID 3060 wrote to memory of 2212	3060	b22159318412b6e0ed004b2bb69d57bb.exe	MediaCenter.exe
PID 3060 wrote to memory of 2384	3060	b22159318412b6e0ed004b2bb69d57bb.exe	cmd.exe
PID 3060 wrote to memory of 2384	3060	b22159318412b6e0ed004b2bb69d57bb.exe	cmd.exe
PID 3060 wrote to memory of 2384	3060	b22159318412b6e0ed004b2bb69d57bb.exe	cmd.exe
PID 3060 wrote to memory of 2384	3060	b22159318412b6e0ed004b2bb69d57bb.exe	cmd.exe
PID 2384 wrote to memory of 616	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 616	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 616	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 616	2384	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b22159318412b6e0ed004b2bb69d57bb.exe
"C:\Users\Admin\AppData\Local\Temp\b22159318412b6e0ed004b2bb69d57bb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b22159318412b6e0ed004b2bb69d57bb.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
164KB

MD5
f4a83b9ec86cb166db75fa91d474f058

SHA1
e641a2e05271e32158e2639e690a7b1736344fab

SHA256
9d61b65b57abb595ed95502e9a7016119e132e9b4da2971a27219e905f1b6fd3

SHA512
43cdc5c77e2e5822e7a88bf2204352da9c8ef737d0452db26bc4c673671a18ffa4d42f046a4cc084a9650a70d832e02ae679b874bee8ebb4d4aa41a687c17f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
79KB

MD5
438f646b566cb8cc92b94ea454fee00d

SHA1
44c4e5021ece0006e7b9709e80823f0d5ff0f99c

SHA256
e714e20538176c10a384d6f9549b6b9e26abed51eb1cfedf5f6ec086d2d9f8d4

SHA512
9a9b20bba9aba4b1de0db30d7395631ddc6b2c113e4a7393ed51c2657d9384ef741468b93dbc68c93534f0f204a030aac4d3d9cc1b11e5072af280e82d9f9622

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
105KB

MD5
d9e3619cc1203601aafd93acd896e75e

SHA1
94e10f712a05f59b7b8e843b5d97622deffb4e13

SHA256
78963e58afcb88b793ab37f283244def8e3d8ddf2fc9340a5f6856ebe2306dab

SHA512
a347e04eb3f8004e3a3dbf4ff1b9453c2cb643e1fd60d6c0ca89f4e97bc49cf5a6dbc06bf7b1d82d96e904ca8dc40f9c03272eed7f571dae1af4fe1c0e1ac8eb

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
108KB

MD5
a6832429f50474e406da5e99ff859d6a

SHA1
d050c01125b16c08a138027114eec072b16abe67

SHA256
4bfa776c2fc959003423672a00d861eb93ddc4f581bb129fec4df4fd7411b2e7

SHA512
17cf0d20bbbdd8ab3201475a5fc1cdca7ab692dddeff17c95c40035b15005e515a12286cccc1cc697b77327c38472f2a6f127fc14531797c2de1f0547872d42a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads