sakula | 2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847

General

Target

2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe
Size

48KB
MD5

06b8ec3185faccd56aa2680267c25793
SHA1

1309feb6d5238ce23114f565b4f679bf38cbd83e
SHA256

2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847
SHA512

f6410b7335c60ff9a0223341003e16d23f121ddc6f18c5286e1c9660c9fcf81e1777ff186e53a43f59bfa510ae05e4d68385df8bfac6667de21e27bad0dd73a1
SSDEEP

768:RaSCio6y6y/FCBJTAIO3OtYVUPsED3VK2+ZtyOjgO4r9vFAg2rqO:5w6y/FCPnO3sYTjipvF2Z

Score

10^/10

sakula discovery persistence rat trojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Sakula family
sakula

Executes dropped EXE 2 IoCs

pid	Process
6020	MediaCenter.exe
1392	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCenter.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4936	cmd.exe
4748	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3480	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4748	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 3392	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	90
PID 960 wrote to memory of 3392	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	90
PID 960 wrote to memory of 3392	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	90
PID 960 wrote to memory of 6020	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	91
PID 960 wrote to memory of 6020	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	91
PID 960 wrote to memory of 6020	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	91
PID 3392 wrote to memory of 3480	3392	cmd.exe	93
PID 3392 wrote to memory of 3480	3392	cmd.exe	93
PID 3392 wrote to memory of 3480	3392	cmd.exe	93
PID 1528 wrote to memory of 1392	1528	cmd.exe	96
PID 1528 wrote to memory of 1392	1528	cmd.exe	96
PID 1528 wrote to memory of 1392	1528	cmd.exe	96
PID 960 wrote to memory of 4936	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	99
PID 960 wrote to memory of 4936	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	99
PID 960 wrote to memory of 4936	960	2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe	99
PID 4936 wrote to memory of 4748	4936	cmd.exe	101
PID 4936 wrote to memory of 4748	4936	cmd.exe	101
PID 4936 wrote to memory of 4748	4936	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe
"C:\Users\Admin\AppData\Local\Temp\2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3480
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\2f9587beab6f18ccf6dfbba33f6923aed82eb6639973b76ffd757c91d2426847.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:1392

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
48KB

MD5
a3fd9e3b3b1246bc4315ce08e3ea486f

SHA1
2bb40777b620c0de0ff12808cf7df287b22c3388

SHA256
f87b50f3424e20af45ac87067e4ef43b6d0e17256b44e63e716c39cb27be0c94

SHA512
657459c421513a27149edc3c8ed67ab847337f6e9c4a87c9fce874ab11350b5f999f876a0111d800109589cc05a16f4f6f81d57b23bf1842ea3d79af65283bf3

Download Submit
memory/960-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/960-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/960-2-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/960-3-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/960-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/960-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/960-9-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1392-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1392-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1392-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1392-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6020-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6020-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6020-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6020-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6020-23-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads