sakula | 8408e2d947a8860350c89a2c2139c7af6515ddb9d0cc22be8c4112d732707785

General

Target

b41037a3595ab3773a7c254751e1c319.exe
Size

4.0MB
MD5

b41037a3595ab3773a7c254751e1c319
SHA1

2b9ec9e5b4307c03534d16a86b2aa84b6f2cdc9c
SHA256

8408e2d947a8860350c89a2c2139c7af6515ddb9d0cc22be8c4112d732707785
SHA512

c9da642c063c49b98a8f3c2433a92425f8cec7e466afa0e06690366ba9fad73cc9ae1210d363bf92c3d59d216c99febce2a7e5b6e649616c6445a76fccbc24ba
SSDEEP

24576:DF9mrnE2Z1y/6oTNBZrBEu8C7jnIQCwRO/wTGS5DBMYf:DD2Z1qT3Zz888QCwRO/wT/aYf

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2584 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2348 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

b41037a3595ab3773a7c254751e1c319.exe

pid process

2360 b41037a3595ab3773a7c254751e1c319.exe
2360 b41037a3595ab3773a7c254751e1c319.exe

pid	process
2584	cmd.exe

pid	process
2348	MediaCenter.exe

pid	process
2360	b41037a3595ab3773a7c254751e1c319.exe
2360	b41037a3595ab3773a7c254751e1c319.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b41037a3595ab3773a7c254751e1c319.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	b41037a3595ab3773a7c254751e1c319.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2888 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b41037a3595ab3773a7c254751e1c319.exe

description pid process

Token: SeIncBasePriorityPrivilege 2360 b41037a3595ab3773a7c254751e1c319.exe

pid	process
2888	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2360	b41037a3595ab3773a7c254751e1c319.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b41037a3595ab3773a7c254751e1c319.execmd.exe

description	pid	process	target process
PID 2360 wrote to memory of 2348	2360	b41037a3595ab3773a7c254751e1c319.exe	MediaCenter.exe
PID 2360 wrote to memory of 2348	2360	b41037a3595ab3773a7c254751e1c319.exe	MediaCenter.exe
PID 2360 wrote to memory of 2348	2360	b41037a3595ab3773a7c254751e1c319.exe	MediaCenter.exe
PID 2360 wrote to memory of 2348	2360	b41037a3595ab3773a7c254751e1c319.exe	MediaCenter.exe
PID 2360 wrote to memory of 2584	2360	b41037a3595ab3773a7c254751e1c319.exe	cmd.exe
PID 2360 wrote to memory of 2584	2360	b41037a3595ab3773a7c254751e1c319.exe	cmd.exe
PID 2360 wrote to memory of 2584	2360	b41037a3595ab3773a7c254751e1c319.exe	cmd.exe
PID 2360 wrote to memory of 2584	2360	b41037a3595ab3773a7c254751e1c319.exe	cmd.exe
PID 2584 wrote to memory of 2888	2584	cmd.exe	PING.EXE
PID 2584 wrote to memory of 2888	2584	cmd.exe	PING.EXE
PID 2584 wrote to memory of 2888	2584	cmd.exe	PING.EXE
PID 2584 wrote to memory of 2888	2584	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b41037a3595ab3773a7c254751e1c319.exe
"C:\Users\Admin\AppData\Local\Temp\b41037a3595ab3773a7c254751e1c319.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b41037a3595ab3773a7c254751e1c319.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
197KB

MD5
c64e37d17c4daa80a4d22b0af9454e6f

SHA1
62de02378ce2193ab3b7bbbe702a64f403afb611

SHA256
5481c2f82e5c5e3a3e4a21dcb3ccca3fb5fd54aede149af1d27e549315ee1f85

SHA512
710e59a523fb243eb6053df81525c8074d297a9cdbc8bb710dbfdcee44c0405b5aeda4a80fb777a4f548f1b72e6078079e557704fa4f83d3a16aa20a471dc8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
257KB

MD5
2ae1e5bebedbaca360bef43514941806

SHA1
02c277f6fe5d3373c2e862fcd572aa5de056ba50

SHA256
7ba9c720c189ca7df49107548c3306c7f2219a6cd8e525ae55d64143971ad20c

SHA512
e739459b466082202b2155574301de34d12f431804655fed60ca6855e5f31f33a05cfacd702c1dbbc2d20dc75ea0c3653855bed6b200e037a262dfb4ae39ea43

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
256KB

MD5
71f6d114c100904944fc3cefe4b73099

SHA1
fdc7f8dc08fb59bc799093a4ea9b5821dbb96a10

SHA256
4aa7000f4bbddd0f5f7b89cde18c8997695973102860023244410533efac696f

SHA512
5088128604f9e776e75b994c1138b3bf10dd50473d65c556e14ec1df3e750fc811724e4705ca15976384cd506f35e2f5e2e2881d520b779bcfbe6d481b12e1b6

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
305KB

MD5
ca93ff32a40b7f568b915d1f3d8cc32f

SHA1
d8fed586afb7de917425c72e72504fa022ae4fa9

SHA256
41a4939669b1cb3059e34e3f16c914fa552f3466c656859ede0923bb4f885453

SHA512
5c42201bafdaf93e66281b62bc54c88e0763b5128e23d30fe1cc5941177c16e7f503e5bfd789a3cd3f4bf5ecb45ef29ae4401b7b4f492f64d736638a7e86c316

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads