Sakula
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Sakula contains UAC bypass code for both 32- and 64-bit systems.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Most Sakula samples maintain persistence by setting the Registry Run key |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[1] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Some Sakula samples install themselves as services for persistence by calling WinExec with the |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[1] |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Some Sakula samples use cmd.exe to delete temporary files.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Sakula uses single-byte XOR obfuscation to obfuscate many of its files.[1] |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Sakula calls cmd.exe to run various DLL files via rundll32.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0009 | Deep Panda |