SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sakula_rat (Back to overview)

Sakula RAT

aka: Sakurel

Actor(s): APT 26, Hurricane Panda


Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.

References
2018-11-16CyberThreatIntelligence BlogAction09
@online{action09:20181116:c0ld:89e6c06, author = {Action09}, title = {{(C)0ld Case : From Aerospace to China’s interests.}}, date = {2018-11-16}, organization = {CyberThreatIntelligence Blog}, url = {https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/}, language = {English}, urldate = {2020-01-07} } (C)0ld Case : From Aerospace to China’s interests.
Sakula RAT
2016-07-14Github (nccgroup)NCC Group PLC
@online{plc:20160714:technical:a0afcbd, author = {NCC Group PLC}, title = {{Technical Notes on Sakula}}, date = {2016-07-14}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula}, language = {English}, urldate = {2020-01-08} } Technical Notes on Sakula
Sakula RAT
2015-08-06SymantecJon DiMaggio
@online{dimaggio:20150806:black:b0fbb35, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group}, language = {English}, urldate = {2022-04-25} } The Black Vine cyberespionage group
Sakula RAT
2015-07-30SecureworksDell Secureworks CTU
@online{ctu:20150730:sakula:8025917, author = {Dell Secureworks CTU}, title = {{Sakula Malware Family}}, date = {2015-07-30}, organization = {Secureworks}, url = {https://www.secureworks.com/research/sakula-malware-family}, language = {English}, urldate = {2020-01-06} } Sakula Malware Family
Sakula RAT
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-02-23SymantecSymantec
@online{symantec:20140223:trojansakurel:9674bd4, author = {Symantec}, title = {{Trojan.Sakurel}}, date = {2014-02-23}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99}, language = {English}, urldate = {2020-01-06} } Trojan.Sakurel
Sakula RAT
2014-02-21SonicWallEd Miles
@online{miles:20140221:cve:fec48e2, author = {Ed Miles}, title = {{CVE 2014-0322 Malware - Sakurel (Feb 21, 2014)}}, date = {2014-02-21}, organization = {SonicWall}, url = {https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654}, language = {English}, urldate = {2022-06-02} } CVE 2014-0322 Malware - Sakurel (Feb 21, 2014)
Sakula RAT
Yara Rules
[TLP:WHITE] win_sakula_rat_auto (20230125 | Detects win.sakula_rat.)
rule win_sakula_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sakula_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6800010000 6a00 6a00 68???????? }
            // n = 5, score = 300
            //   6a00                 | dec                 eax
            //   6800010000           | lea                 edx, [esp + 0x58]
            //   6a00                 | dec                 eax
            //   6a00                 | lea                 edx, [0x10a4]
            //   68????????           |                     

        $sequence_1 = { e8???????? 83c404 5b 85c0 5f a3???????? 0f95c0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | pop                 eax
            //   5b                   | jmp                 0x16
            //   85c0                 | mov                 dword ptr [ebp - 0xc], 0x2d4be5
            //   5f                   | mov                 dword ptr [ebp - 8], eax
            //   a3????????           |                     
            //   0f95c0               | cmp                 eax, 0

        $sequence_2 = { 8bc7 e8???????? 83c408 833e01 740a }
            // n = 5, score = 200
            //   8bc7                 | pop                 ebx
            //   e8????????           |                     
            //   83c408               | test                eax, eax
            //   833e01               | pop                 edi
            //   740a                 | setne               al

        $sequence_3 = { 6800900100 8d9614010000 52 50 }
            // n = 4, score = 200
            //   6800900100           | mov                 dword ptr [ebp - 0x10], eax
            //   8d9614010000         | mov                 eax, dword ptr [ebp - 8]
            //   52                   | mov                 dword ptr [ebp - 0x14], eax
            //   50                   | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_4 = { 8d8c244c010000 51 ff15???????? 83f8ff 7409 f644240810 7402 }
            // n = 7, score = 200
            //   8d8c244c010000       | mov                 eax, dword ptr [eax]
            //   51                   | push                0
            //   ff15????????         |                     
            //   83f8ff               | push                0x100
            //   7409                 | push                0
            //   f644240810           | push                0
            //   7402                 | add                 esp, 4

        $sequence_5 = { 7d07 b803000000 eb1b e8???????? 83f801 }
            // n = 5, score = 200
            //   7d07                 | push                dword ptr [ebp - 8]
            //   b803000000           | push                dword ptr [ebp - 0x10]
            //   eb1b                 | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   83f801               | push                dword ptr [ebp - 0x10]

        $sequence_6 = { 83f81e 7cf4 eb05 41 3bce 72dd 8d46ff }
            // n = 7, score = 200
            //   83f81e               | je                  0x32
            //   7cf4                 | push                0x400
            //   eb05                 | push                dword ptr [ebp - 0x10]
            //   41                   | add                 esp, 0xc
            //   3bce                 | push                dword ptr [ebp - 0xc]
            //   72dd                 | push                dword ptr [ebp - 0x10]
            //   8d46ff               | push                1

        $sequence_7 = { 33db 6803010000 8d84244d010000 53 }
            // n = 4, score = 200
            //   33db                 | je                  0xf9
            //   6803010000           | push                eax
            //   8d84244d010000       | push                dword ptr [ebp + 0x14]
            //   53                   | push                dword ptr [ebp + 0x10]

        $sequence_8 = { 8364242800 488364242000 4c8bc6 448bc8 33d2 }
            // n = 5, score = 100
            //   8364242800           | mov                 esi, eax
            //   488364242000         | dec                 esp
            //   4c8bc6               | lea                 eax, [0x1d79]
            //   448bc8               | dec                 eax
            //   33d2                 | lea                 ecx, [0x1d8a]

        $sequence_9 = { c7451705000000 48895dff ff15???????? 8364242800 488364242000 }
            // n = 5, score = 100
            //   c7451705000000       | dec                 eax
            //   48895dff             | and                 dword ptr [esp + 0x20], 0
            //   ff15????????         |                     
            //   8364242800           | dec                 esp
            //   488364242000         | mov                 eax, esi

        $sequence_10 = { e8???????? ff75f0 e8???????? ff75dc e8???????? 58 5a }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ff75f0               | dec                 eax
            //   e8????????           |                     
            //   ff75dc               | lea                 ecx, [0x2105]
            //   e8????????           |                     
            //   58                   | dec                 eax
            //   5a                   | lea                 ebx, [0x2308]

        $sequence_11 = { 0f84f3000000 e8???????? 50 ff7514 ff7510 }
            // n = 5, score = 100
            //   0f84f3000000         | push                0
            //   e8????????           |                     
            //   50                   | push                0
            //   ff7514               | push                dword ptr [ebp - 0x10]
            //   ff7510               | push                dword ptr [ebp - 0x24]

        $sequence_12 = { 55 488dac2450f8ffff 4881ecb0080000 33d2 488d4c2478 }
            // n = 5, score = 100
            //   55                   | push                ebp
            //   488dac2450f8ffff     | dec                 eax
            //   4881ecb0080000       | lea                 ebp, [esp - 0x7b0]
            //   33d2                 | dec                 eax
            //   488d4c2478           | sub                 esp, 0x8b0

        $sequence_13 = { ff75f0 e8???????? 83c40c ff35???????? ff75f4 ff75f0 e8???????? }
            // n = 7, score = 100
            //   ff75f0               | inc                 ecx
            //   e8????????           |                     
            //   83c40c               | mov                 eax, 0x7ce
            //   ff35????????         |                     
            //   ff75f4               | mov                 dword ptr [esp + 0x70], 0x68
            //   ff75f0               | mov                 dword ptr [ebp - 0x54], 1
            //   e8????????           |                     

        $sequence_14 = { 4c8d05791d0000 488d0d8a1d0000 33d2 ff15???????? 3bc6 }
            // n = 5, score = 100
            //   4c8d05791d0000       | dec                 eax
            //   488d0d8a1d0000       | lea                 ecx, [ebp - 0x20]
            //   33d2                 | dec                 esp
            //   ff15????????         |                     
            //   3bc6                 | lea                 ebx, [esp + 0x50]

        $sequence_15 = { e8???????? 8945f8 83f800 7430 6800040000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8945f8               | and                 dword ptr [esp + 0x20], 0
            //   83f800               | dec                 eax
            //   7430                 | lea                 ecx, [ebp - 0x1e]
            //   6800040000           | xor                 edx, edx

        $sequence_16 = { 488bc8 ff15???????? 85c0 0f84ae000000 488bcb ff15???????? 8364245800 }
            // n = 7, score = 100
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 edx, [0xfe9]
            //   0f84ae000000         | dec                 eax
            //   488bcb               | lea                 ecx, [0x1f02]
            //   ff15????????         |                     
            //   8364245800           | dec                 ecx

        $sequence_17 = { e8???????? 4c8d05e91f0000 488d1552110000 488d4de0 ff15???????? 4c8d5c2450 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   4c8d05e91f0000       | xor                 edx, edx
            //   488d1552110000       | dec                 eax
            //   488d4de0             | lea                 ecx, [esp + 0x78]
            //   ff15????????         |                     
            //   4c8d5c2450           | dec                 esp

        $sequence_18 = { b8???????? 8b00 8945f0 58 eb13 c745f4e54b2d00 }
            // n = 6, score = 100
            //   b8????????           |                     
            //   8b00                 | mov                 dword ptr [ebp + 0x17], 5
            //   8945f0               | dec                 eax
            //   58                   | mov                 dword ptr [ebp - 1], ebx
            //   eb13                 | and                 dword ptr [esp + 0x28], 0
            //   c745f4e54b2d00       | dec                 eax

        $sequence_19 = { ff15???????? 488d15a4100000 488d0d05210000 ff15???????? 488d1d08230000 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488d15a4100000       | test                eax, eax
            //   488d0d05210000       | je                  0xb6
            //   ff15????????         |                     
            //   488d1d08230000       | dec                 eax

        $sequence_20 = { e8???????? 6a01 ff75f8 ff75f0 e8???????? ff75f8 ff75f0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6a01                 | mov                 word ptr [ebp - 0x50], bx
            //   ff75f8               | dec                 eax
            //   ff75f0               | mov                 dword ptr [esp + 0x50], ebx
            //   e8????????           |                     
            //   ff75f8               | push                0
            //   ff75f0               | push                0x100

        $sequence_21 = { 488d15e90f0000 488d0d021f0000 498bf0 ff15???????? }
            // n = 4, score = 100
            //   488d15e90f0000       | lea                 eax, [0x1fe9]
            //   488d0d021f0000       | dec                 eax
            //   498bf0               | lea                 edx, [0x1152]
            //   ff15????????         |                     

        $sequence_22 = { 50 8d45ec 50 6800040000 ff75fc 68???????? e8???????? }
            // n = 7, score = 100
            //   50                   | dec                 esp
            //   8d45ec               | lea                 eax, [0x1d79]
            //   50                   | dec                 eax
            //   6800040000           | lea                 ecx, [0x1d8a]
            //   ff75fc               | xor                 edx, edx
            //   68????????           |                     
            //   e8????????           |                     

    condition:
        7 of them and filesize < 229376
}
[TLP:WHITE] win_sakula_rat_w0   (20170517 | Sakula v1.0)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/
rule win_sakula_rat_w0 {
    meta:
        description = "Sakula v1.0"
        date = "2015-10-13"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $m1 = "%d_of_%d_for_%s_on_%s"
        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
        $m3 = "=%s&type=%d"
        $m4 = "?photoid="
        $m5 = "iexplorer"
                $m6 = "net start \"%s\""
        $v1_1 = "MicroPlayerUpdate.exe"

    condition:
        all of ($m*) and not $v1_1
}
[TLP:WHITE] win_sakula_rat_w1   (20170517 | Sakula v1.1)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_sakula_rat_w1 {
    meta:
        description = "Sakula v1.1"
        date = "2015-10-13"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $m1 = "%d_of_%d_for_%s_on_%s"
        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
        $m3 = "=%s&type=%d"
        $m4 = "?photoid="
        $m5 = "iexplorer"
                $m6 = "net start \"%s\""
        $v1_1 = "MicroPlayerUpdate.exe"

    condition:
        all of them
}
[TLP:WHITE] win_sakula_rat_w2   (20170517 | Sakula v1.2)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/


rule win_sakula_rat_w2 {
    meta:
        description = "Sakula v1.2"
        date = "2015-10-13"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $m1 = "%d_of_%d_for_%s_on_%s"
        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
        $m3 = "cmd.exe /c rundll32 \"%s\""
        $v1_1 = "MicroPlayerUpdate.exe"
        $v1_2 = "CCPUpdate"

    condition:
        $m1 and $m2 and $m3 and $v1_2 and not $v1_1
}
[TLP:WHITE] win_sakula_rat_w3   (20170517 | Sakula v1.3)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/


rule win_sakula_rat_w3 {
    meta:
        description = "Sakula v1.3"
        date = "2015-10-13"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $m1 = "%d_of_%d_for_%s_on_%s"
        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
        $m3 = "cmd.exe /c rundll32 \"%s\""

        $v1_3 = { 81 3E 78 03 00 00 75 57  8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF  15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31  41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15  24 F0 40 00 E8 0F 09 00 }

    condition:
        all of them
}
[TLP:WHITE] win_sakula_rat_w4   (20170517 | Sakula v1.4)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_sakula_rat_w4 {
    meta:
        description = "Sakula v1.4"
        date = "2015-10-13"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $m1 = "%d_of_%d_for_%s_on_%s"
        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
        $m3 = "cmd.exe /c rundll32 \"%s\""

        $v1_4 = { 50 E8 CD FC FF FF 83 C4  04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE  FE FF FF E8 13 F5 FF FF }

    condition:
        all of them
}
Download all Yara Rules