Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51

  • Size

    212KB

  • Sample

    240308-14m2cahh2s

  • MD5

    1357e64b7017ef220c506b4b539e1a87

  • SHA1

    2eaa81c569c5e626d8a36dbdafa285a88d1c2ab1

  • SHA256

    abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51

  • SHA512

    e226ca35d6e841f0e9b3eacfb323cdecdc4e6a950dcbe6295203cd9ef55d2038c9d9b24c662d6d7f7a77cabface9b2d73fc70fa56f1e6d6e8be561c6bbcca012

  • SSDEEP

    1536:ftQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0SanB1:u29DkEGRQixVSjLc130BYgjXjpgnB1

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51

    • Size

      212KB

    • MD5

      1357e64b7017ef220c506b4b539e1a87

    • SHA1

      2eaa81c569c5e626d8a36dbdafa285a88d1c2ab1

    • SHA256

      abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51

    • SHA512

      e226ca35d6e841f0e9b3eacfb323cdecdc4e6a950dcbe6295203cd9ef55d2038c9d9b24c662d6d7f7a77cabface9b2d73fc70fa56f1e6d6e8be561c6bbcca012

    • SSDEEP

      1536:ftQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0SanB1:u29DkEGRQixVSjLc130BYgjXjpgnB1

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • UPX dump on OEP (original entry point)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks