sakula | 6c6cb006bfc84ecb8913466123ecb832e4630539b6cc6040152516dbb914c825

General

Target

cd6a99b286420dbdf0cf406203526e81.exe
Size

517KB
MD5

cd6a99b286420dbdf0cf406203526e81
SHA1

2b83183925ad2b0e2da4c828cc80d99cf928039f
SHA256

6c6cb006bfc84ecb8913466123ecb832e4630539b6cc6040152516dbb914c825
SHA512

5a3d595cf824bea9ebff2568e2682f0c0b4633ea49d598fde9afbfbd18cc96a69afc0fb8df5d517c0fa8f7af4f9d532545e59146cff6710e35fef33d54f4f7a8
SSDEEP

12288:0RfQn+w8EYiBlMkn5f9J105ko8T6csVe2:g4+wlYBsb3zNsz

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1276-0-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/4968-5-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral2/memory/1276-6-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd6a99b286420dbdf0cf406203526e81.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cd6a99b286420dbdf0cf406203526e81.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4968 MediaCenter.exe

pid	process
4968	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cd6a99b286420dbdf0cf406203526e81.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	cd6a99b286420dbdf0cf406203526e81.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3004 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cd6a99b286420dbdf0cf406203526e81.exe

description pid process

Token: SeIncBasePriorityPrivilege 1276 cd6a99b286420dbdf0cf406203526e81.exe

pid	process
3004	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1276	cd6a99b286420dbdf0cf406203526e81.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cd6a99b286420dbdf0cf406203526e81.execmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 4968	1276	cd6a99b286420dbdf0cf406203526e81.exe	MediaCenter.exe
PID 1276 wrote to memory of 4968	1276	cd6a99b286420dbdf0cf406203526e81.exe	MediaCenter.exe
PID 1276 wrote to memory of 4968	1276	cd6a99b286420dbdf0cf406203526e81.exe	MediaCenter.exe
PID 1276 wrote to memory of 4856	1276	cd6a99b286420dbdf0cf406203526e81.exe	cmd.exe
PID 1276 wrote to memory of 4856	1276	cd6a99b286420dbdf0cf406203526e81.exe	cmd.exe
PID 1276 wrote to memory of 4856	1276	cd6a99b286420dbdf0cf406203526e81.exe	cmd.exe
PID 4856 wrote to memory of 3004	4856	cmd.exe	PING.EXE
PID 4856 wrote to memory of 3004	4856	cmd.exe	PING.EXE
PID 4856 wrote to memory of 3004	4856	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\cd6a99b286420dbdf0cf406203526e81.exe
"C:\Users\Admin\AppData\Local\Temp\cd6a99b286420dbdf0cf406203526e81.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\cd6a99b286420dbdf0cf406203526e81.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W8BIYKF7\tnjxozbg1154646995[1].htm

Filesize
1KB

MD5
8d4c07efda188f4ca3290b68b7b5c2b4

SHA1
ba392480e4f36eaf02ce8df0e7b3ca86aebbd3ea

SHA256
e27b64c9737988f9d6a1bff653e7de7b46c8150133d6b4e9061b70d70dbde8b4

SHA512
fbbd1b4596151b13a9de1ed87c37783f2e7519c1e0b7f90fe00cba33a848b538fcb8474d0975fb18568085e81e84053d4ec2f18021fcc76cda68e0b808ed2ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
517KB

MD5
9b685b5360cc484edfa4dd688ec3e8f6

SHA1
40ea6e9423095332e2c53df85e236eb5917323fd

SHA256
3331fc72ddb1e5803f34ffef51672dc7ca5c32da1c07aeef8c80c847c31d28cf

SHA512
250d37985ac7ae513fec162226c436308ac98d7dbee6d56e28879198d124ef8fb728a4d5de417f5428dbcd7637a1ed82b57aa119602366d0464c9b4301c37f83

Download Submit
memory/1276-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1276-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4968-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads