sakula | 274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3

General

Target

274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe
Size

43KB
MD5

abe57f897e0be11d231c9088c7bbad09
SHA1

11144451f8a5984e213640ae3b0adf2199995f76
SHA256

274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3
SHA512

b37f3dcbe2d4743be71907ee938ed493dcd8cdacfe3f180ec524d9042978c270aa52bfd432dc5883c539cb6171088330031a30478093e692f486ed5b7b45eff1
SSDEEP

768:+U9XnKJv8KrtPNxT4oreP7cIK3yQpdk6x8pf9m4P/S0hVvIZiGDZ6RO8nHE8taq/:+U9abrtX4oocIK3yQkaY9z/S0hhy6k81

Score

10^/10

sakula discovery persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2908-11-0x00000000013D0000-0x00000000013EF000-memory.dmp	family_sakula
behavioral1/memory/1400-14-0x0000000001200000-0x000000000121F000-memory.dmp	family_sakula
behavioral1/memory/2908-22-0x00000000013D0000-0x00000000013EF000-memory.dmp	family_sakula
behavioral1/memory/1400-28-0x0000000001200000-0x000000000121F000-memory.dmp	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2532	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid	Process
1400	MediaCenter.exe

Loads dropped DLL 2 IoCs

Processes:

274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe

pid	Process
2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe
2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2908-0-0x00000000013D0000-0x00000000013EF000-memory.dmp	upx
behavioral1/files/0x0008000000017234-2.dat	upx
behavioral1/memory/1400-10-0x0000000001200000-0x000000000121F000-memory.dmp	upx
behavioral1/memory/2908-11-0x00000000013D0000-0x00000000013EF000-memory.dmp	upx
behavioral1/memory/1400-14-0x0000000001200000-0x000000000121F000-memory.dmp	upx
behavioral1/memory/2908-22-0x00000000013D0000-0x00000000013EF000-memory.dmp	upx
behavioral1/memory/1400-28-0x0000000001200000-0x000000000121F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.execmd.exePING.EXEMediaCenter.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCenter.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
2532	cmd.exe
3048	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3048	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.execmd.exe

description	pid	Process	procid_target
PID 2908 wrote to memory of 1400	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	30
PID 2908 wrote to memory of 1400	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	30
PID 2908 wrote to memory of 1400	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	30
PID 2908 wrote to memory of 1400	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	30
PID 2908 wrote to memory of 2532	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	32
PID 2908 wrote to memory of 2532	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	32
PID 2908 wrote to memory of 2532	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	32
PID 2908 wrote to memory of 2532	2908	274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe	32
PID 2532 wrote to memory of 3048	2532	cmd.exe	34
PID 2532 wrote to memory of 3048	2532	cmd.exe	34
PID 2532 wrote to memory of 3048	2532	cmd.exe	34
PID 2532 wrote to memory of 3048	2532	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe
"C:\Users\Admin\AppData\Local\Temp\274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\274d9fc9a589e5bc6fe6ebd2ab94f35db74b84b8d7ba746332e11e98497f87c3.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
43KB

MD5
e0f9e85b8b31de6498763f846786c9a9

SHA1
7271b4743ca088f6362de379b7b3e45b60838fd6

SHA256
29f1115255d50d3763f10fffbf5b093facaf68213c880f2945cacb7dab0e4c8d

SHA512
3b8771f38c526b444f6609682b7e0ebefb697c0496eb4d8f8296e3a1940ab8291b863f82155fed49b30e2fe3af37a67058271445c70afe1fc198eaf5b4be87ac

Download Submit
memory/1400-10-0x0000000001200000-0x000000000121F000-memory.dmp

Filesize
124KB

Download
memory/1400-14-0x0000000001200000-0x000000000121F000-memory.dmp

Filesize
124KB

Download
memory/1400-28-0x0000000001200000-0x000000000121F000-memory.dmp

Filesize
124KB

Download
memory/2908-0-0x00000000013D0000-0x00000000013EF000-memory.dmp

Filesize
124KB

Download
memory/2908-9-0x0000000001200000-0x000000000121F000-memory.dmp

Filesize
124KB

Download
memory/2908-11-0x00000000013D0000-0x00000000013EF000-memory.dmp

Filesize
124KB

Download
memory/2908-12-0x0000000001200000-0x000000000121F000-memory.dmp

Filesize
124KB

Download
memory/2908-13-0x0000000001200000-0x000000000121F000-memory.dmp

Filesize
124KB

Download
memory/2908-22-0x00000000013D0000-0x00000000013EF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads