Overview

overview

10

Static

static

10

3b5310c324...ca.exe

windows7-x64

10

3b5310c324...ca.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3b5310c324f196e3e314d73df0013b3541872da9ade765b66639277bcb8a9cca

  • Size

    195KB

  • Sample

    240411-y4634sca65

  • MD5

    dd362d4744eaf82a8fec28eb656fad98

  • SHA1

    eb9da2ead66377499ad8ef1a0445d5938622a387

  • SHA256

    3b5310c324f196e3e314d73df0013b3541872da9ade765b66639277bcb8a9cca

  • SHA512

    77e48139b2ff33ea674ff5a8506b80a1232f1e4cadd4fc8e0208e2e71fd5548a53a028713a8caf54bf0f792ebcdb061ea55381eb7a8ae936117b4026b385df9f

  • SSDEEP

    3072:6PPUj3+5FMIn8To94wa7uZwOuz/xS3iGpZMhDEXzkOSUUKeF8a7bXxs:6UC5TUm4wZwBxE1+ijis

Score
10/10
sakulapersistencerattrojanupx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      3b5310c324f196e3e314d73df0013b3541872da9ade765b66639277bcb8a9cca

    • Size

      195KB

    • MD5

      dd362d4744eaf82a8fec28eb656fad98

    • SHA1

      eb9da2ead66377499ad8ef1a0445d5938622a387

    • SHA256

      3b5310c324f196e3e314d73df0013b3541872da9ade765b66639277bcb8a9cca

    • SHA512

      77e48139b2ff33ea674ff5a8506b80a1232f1e4cadd4fc8e0208e2e71fd5548a53a028713a8caf54bf0f792ebcdb061ea55381eb7a8ae936117b4026b385df9f

    • SSDEEP

      3072:6PPUj3+5FMIn8To94wa7uZwOuz/xS3iGpZMhDEXzkOSUUKeF8a7bXxs:6UC5TUm4wZwBxE1+ijis

    Score
    10/10
    sakulapersistencerattrojanupx

    • Sakula

      Sakula is a remote access trojan with various capabilities.

      trojanratsakula

    • Sakula payload

    • UPX dump on OEP (original entry point)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks