sakula | a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b

General

Target

a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe
Size

89KB
MD5

a82d0957ae9a8473296d7a75b45f3bff
SHA1

edac919768c2bb44efe85e44a784b0e475b777e9
SHA256

a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b
SHA512

dc33a277a1c23c4952e366abec3851af9c01a0c912e9d9e03ff901f3d04492612d8568ac9869b0e9417714d505b94fe2f0cbd0280b6af323c4301d514164c454
SSDEEP

1536:PQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+ees52z30rtrc:w29DkEGRQixVSjLaes5G30B4

Score

10^/10

sakula discovery persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Sakula family
sakula

Sakula payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000e000000023bb7-3.dat	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid	Process
748	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exeMediaCenter.execmd.exePING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
1384	cmd.exe
2420	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2420	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	5080	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.execmd.exe

description	pid	Process	procid_target
PID 5080 wrote to memory of 748	5080	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe	83
PID 5080 wrote to memory of 748	5080	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe	83
PID 5080 wrote to memory of 748	5080	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe	83
PID 5080 wrote to memory of 1384	5080	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe	99
PID 5080 wrote to memory of 1384	5080	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe	99
PID 5080 wrote to memory of 1384	5080	a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe	99
PID 1384 wrote to memory of 2420	1384	cmd.exe	101
PID 1384 wrote to memory of 2420	1384	cmd.exe	101
PID 1384 wrote to memory of 2420	1384	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe
"C:\Users\Admin\AppData\Local\Temp\a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a1609ac64c824718ee1464c8ee66e24d6167a27c94054185b4595350ab5ee86b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
89KB

MD5
11a186041007342d7138a236a414a9c6

SHA1
e660489247211beee2f048b0eeabf6383a1271dc

SHA256
1ba67f749dfe2008e6495a26231250265ea904c1626dc7cfbe2283aa3d2d7941

SHA512
5710a304818b1edf69a388786e5962ed6528e5c665622035a1a6f9f7af7161d0921ad935f291a7dbe12516945626ffff24ad96fec0a9d7373171c8a42862e446

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads