Sakula RAT (Malware Family)

Sakula RAT

aka: Sakurel

Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.

References

2018-11-16 ⋅ CyberThreatIntelligence Blog ⋅ Action09
(C)0ld Case : From Aerospace to China’s interests.
Sakula RAT

2016-07-14 ⋅ Github (nccgroup) ⋅ NCC Group PLC
Technical Notes on Sakula
Sakula RAT

2015-08-06 ⋅ Symantec ⋅ Jon DiMaggio
The Black Vine cyberespionage group
Sakula RAT

2015-07-30 ⋅ Secureworks ⋅ Dell Secureworks CTU
Sakula Malware Family
Sakula RAT

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2014-02-23 ⋅ Symantec ⋅ Symantec
Trojan.Sakurel
Sakula RAT

2014-02-21 ⋅ SonicWall ⋅ Ed Miles
CVE 2014-0322 Malware - Sakurel (Feb 21, 2014)
Sakula RAT

Yara Rules

[TLP:WHITE] win_sakula_rat_auto (20230715 \| Detects win.sakula_rat.) rule win_sakula_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.sakula_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6800010000 6a00 6a00 68???????? } // n = 5, score = 300 // 6a00 \| mov dword ptr [esp + 0x28], edi // 6800010000 \| dec eax // 6a00 \| mov dword ptr [esp + 0x20], ebx // 6a00 \| xor ecx, ecx // 68???????? \| $sequence_1 = { 83c404 a1???????? 8b0d???????? 8b15???????? } // n = 4, score = 200 // 83c404 \| push dword ptr [ebp + 8] // a1???????? \| // 8b0d???????? \| // 8b15???????? \| $sequence_2 = { 57 53 e8???????? 56 e8???????? 83c434 } // n = 6, score = 200 // 57 \| cmp eax, 0 // 53 \| je 0x1a0 // e8???????? \| // 56 \| mov dword ptr [eax], 0xc // e8???????? \| // 83c434 \| mov dword ptr [eax + 8], 1 $sequence_3 = { a1???????? 33c4 89842450020000 53 33db } // n = 5, score = 200 // a1???????? \| // 33c4 \| push 0xfde9 // 89842450020000 \| push eax // 53 \| push eax // 33db \| mov dword ptr [ebp - 4], eax $sequence_4 = { 8bf9 6800000080 57 ff15???????? } // n = 4, score = 200 // 8bf9 \| push 0 // 6800000080 \| push 0x100 // 57 \| push 0 // ff15???????? \| $sequence_5 = { 6a01 ffd7 85c0 56 } // n = 4, score = 200 // 6a01 \| mov eax, dword ptr [ebp - 8] // ffd7 \| push dword ptr [eax] // 85c0 \| cmp eax, 0 // 56 \| je 0x86 $sequence_6 = { 3c56 7405 3456 880411 } // n = 4, score = 200 // 3c56 \| add esp, 8 // 7405 \| cmp eax, 0 // 3456 \| jne 0x12 // 880411 \| xor eax, eax $sequence_7 = { e8???????? 83c40c 6a00 6a00 57 53 } // n = 6, score = 200 // e8???????? \| // 83c40c \| push 0x2cc // 6a00 \| mov dword ptr [ebp - 0x28], eax // 6a00 \| push 1 // 57 \| push 0 // 53 \| lea eax, [ebp - 0x24] $sequence_8 = { 68e9fd0000 e8???????? 50 50 } // n = 4, score = 100 // 68e9fd0000 \| lea eax, [ebp - 8] // e8???????? \| // 50 \| push eax // 50 \| push dword ptr [ebp - 4] $sequence_9 = { ff15???????? 8364245800 ff15???????? 488d542458 488bc8 ff15???????? } // n = 6, score = 100 // ff15???????? \| // 8364245800 \| int3 // ff15???????? \| // 488d542458 \| dec eax // 488bc8 \| mov ebx, dword ptr [esp + 0x50] // ff15???????? \| $sequence_10 = { 488d55e0 4533c9 4533c0 33c9 c744242804000000 895c2420 ff15???????? } // n = 7, score = 100 // 488d55e0 \| dec eax // 4533c9 \| mov dword ptr [ebp - 1], ebx // 4533c0 \| dec eax // 33c9 \| lea edx, [ebp - 0x20] // c744242804000000 \| inc ebp // 895c2420 \| xor ecx, ecx // ff15???????? \| $sequence_11 = { 6858020000 8b45fc 052c010000 50 e8???????? eb02 } // n = 6, score = 100 // 6858020000 \| xor ebx, ebx // 8b45fc \| xor eax, eax // 052c010000 \| dec eax // 50 \| mov eax, dword ptr [ecx] // e8???????? \| // eb02 \| call dword ptr [eax + 0x28] $sequence_12 = { 8b45f8 ff30 e8???????? 83f800 0f847b000000 68cc020000 e8???????? } // n = 7, score = 100 // 8b45f8 \| push 0 // ff30 \| push 0x100 // e8???????? \| // 83f800 \| push 0 // 0f847b000000 \| push 0 // 68cc020000 \| mov dword ptr [ebp - 0x18], eax // e8???????? \| $sequence_13 = { e8???????? 8945e8 83f800 0f84a8000000 83f8ff 0f849f000000 8d45f8 } // n = 7, score = 100 // e8???????? \| // 8945e8 \| dec eax // 83f800 \| mov dword ptr [ebp + 7], ebx // 0f84a8000000 \| and dword ptr [esp + 0x58], 0 // 83f8ff \| dec eax // 0f849f000000 \| lea edx, [esp + 0x58] // 8d45f8 \| dec eax $sequence_14 = { 448d4260 e8???????? 33db 33c0 } // n = 4, score = 100 // 448d4260 \| dec eax // e8???????? \| // 33db \| and dword ptr [esp + 0x20], 0 // 33c0 \| and dword ptr [esp + 0x58], 0 $sequence_15 = { a3???????? 50 ff75fc e8???????? 58 c9 c3 } // n = 7, score = 100 // a3???????? \| // 50 \| mov ecx, eax // ff75fc \| dec eax // e8???????? \| // 58 \| mov esi, dword ptr [eax + 8] // c9 \| inc esp // c3 \| lea eax, [edx + 0x60] $sequence_16 = { 33c9 448bc8 897c2428 48895c2420 ff15???????? } // n = 5, score = 100 // 33c9 \| mov dword ptr [esp + 0x28], 4 // 448bc8 \| mov dword ptr [esp + 0x20], ebx // 897c2428 \| xor ecx, ecx // 48895c2420 \| mov edi, eax // ff15???????? \| $sequence_17 = { e8???????? 33c9 ff15???????? cc 488b5c2450 488b742460 } // n = 6, score = 100 // e8???????? \| // 33c9 \| xor eax, eax // ff15???????? \| // cc \| dec eax // 488b5c2450 \| lea ecx, [ebp - 0x1e] // 488b742460 \| xor edx, edx $sequence_18 = { e8???????? 488bce c745e770000000 c7451705000000 48895dff } // n = 5, score = 100 // e8???????? \| // 488bce \| dec eax // c745e770000000 \| mov ecx, esi // c7451705000000 \| mov dword ptr [ebp - 0x19], 0x70 // 48895dff \| mov dword ptr [ebp + 0x17], 5 $sequence_19 = { 33c9 ff15???????? 8bf8 8d5c0008 ff15???????? } // n = 5, score = 100 // 33c9 \| inc ebp // ff15???????? \| // 8bf8 \| xor eax, eax // 8d5c0008 \| xor ecx, ecx // ff15???????? \| $sequence_20 = { 50 ff7508 e8???????? 83c408 83f800 7506 31c0 } // n = 7, score = 100 // 50 \| cmp eax, esi // ff7508 \| je 0x81 // e8???????? \| // 83c408 \| dec esp // 83f800 \| lea ecx, [ebp - 0x29] // 7506 \| dec esp // 31c0 \| lea eax, [0x1d79] $sequence_21 = { 33c0 488d4de2 33d2 41b8ce070000 c744247068000000 c745ac01000000 66895db0 } // n = 7, score = 100 // 33c0 \| lea ebx, [eax + eax + 8] // 488d4de2 \| xor ecx, ecx // 33d2 \| inc esp // 41b8ce070000 \| mov ecx, eax // c744247068000000 \| mov dword ptr [esp + 0x28], edi // c745ac01000000 \| dec eax // 66895db0 \| mov dword ptr [esp + 0x20], ebx $sequence_22 = { 8945d8 6a01 e8???????? 6a00 8d45dc } // n = 5, score = 100 // 8945d8 \| cmp eax, 0 // 6a01 \| je 0xb4 // e8???????? \| // 6a00 \| cmp eax, -1 // 8d45dc \| je 0xb4 condition: 7 of them and filesize < 229376 }
[TLP:WHITE] win_sakula_rat_w0 (20170517 \| Sakula v1.0) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_sakula_rat_w0 { meta: description = "Sakula v1.0" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of ($m) and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w1 (20170517 \| Sakula v1.1) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w1 { meta: description = "Sakula v1.1" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of them }
[TLP:WHITE] win_sakula_rat_w2 (20170517 \| Sakula v1.2) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w2 { meta: description = "Sakula v1.2" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" $v1_2 = "CCPUpdate" condition: $m1 and $m2 and $m3 and $v1_2 and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w3 (20170517 \| Sakula v1.3) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w3 { meta: description = "Sakula v1.3" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 } condition: all of them }
[TLP:WHITE] win_sakula_rat_w4 (20170517 \| Sakula v1.4) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w4 { meta: description = "Sakula v1.4" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF } condition: all of them }

Download all Yara Rules

[TLP:WHITE] win_sakula_rat_auto (20230715 \| Detects win.sakula_rat.) rule win_sakula_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.sakula_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6800010000 6a00 6a00 68???????? } // n = 5, score = 300 // 6a00 \| mov dword ptr [esp + 0x28], edi // 6800010000 \| dec eax // 6a00 \| mov dword ptr [esp + 0x20], ebx // 6a00 \| xor ecx, ecx // 68???????? \| $sequence_1 = { 83c404 a1???????? 8b0d???????? 8b15???????? } // n = 4, score = 200 // 83c404 \| push dword ptr [ebp + 8] // a1???????? \| // 8b0d???????? \| // 8b15???????? \| $sequence_2 = { 57 53 e8???????? 56 e8???????? 83c434 } // n = 6, score = 200 // 57 \| cmp eax, 0 // 53 \| je 0x1a0 // e8???????? \| // 56 \| mov dword ptr [eax], 0xc // e8???????? \| // 83c434 \| mov dword ptr [eax + 8], 1 $sequence_3 = { a1???????? 33c4 89842450020000 53 33db } // n = 5, score = 200 // a1???????? \| // 33c4 \| push 0xfde9 // 89842450020000 \| push eax // 53 \| push eax // 33db \| mov dword ptr [ebp - 4], eax $sequence_4 = { 8bf9 6800000080 57 ff15???????? } // n = 4, score = 200 // 8bf9 \| push 0 // 6800000080 \| push 0x100 // 57 \| push 0 // ff15???????? \| $sequence_5 = { 6a01 ffd7 85c0 56 } // n = 4, score = 200 // 6a01 \| mov eax, dword ptr [ebp - 8] // ffd7 \| push dword ptr [eax] // 85c0 \| cmp eax, 0 // 56 \| je 0x86 $sequence_6 = { 3c56 7405 3456 880411 } // n = 4, score = 200 // 3c56 \| add esp, 8 // 7405 \| cmp eax, 0 // 3456 \| jne 0x12 // 880411 \| xor eax, eax $sequence_7 = { e8???????? 83c40c 6a00 6a00 57 53 } // n = 6, score = 200 // e8???????? \| // 83c40c \| push 0x2cc // 6a00 \| mov dword ptr [ebp - 0x28], eax // 6a00 \| push 1 // 57 \| push 0 // 53 \| lea eax, [ebp - 0x24] $sequence_8 = { 68e9fd0000 e8???????? 50 50 } // n = 4, score = 100 // 68e9fd0000 \| lea eax, [ebp - 8] // e8???????? \| // 50 \| push eax // 50 \| push dword ptr [ebp - 4] $sequence_9 = { ff15???????? 8364245800 ff15???????? 488d542458 488bc8 ff15???????? } // n = 6, score = 100 // ff15???????? \| // 8364245800 \| int3 // ff15???????? \| // 488d542458 \| dec eax // 488bc8 \| mov ebx, dword ptr [esp + 0x50] // ff15???????? \| $sequence_10 = { 488d55e0 4533c9 4533c0 33c9 c744242804000000 895c2420 ff15???????? } // n = 7, score = 100 // 488d55e0 \| dec eax // 4533c9 \| mov dword ptr [ebp - 1], ebx // 4533c0 \| dec eax // 33c9 \| lea edx, [ebp - 0x20] // c744242804000000 \| inc ebp // 895c2420 \| xor ecx, ecx // ff15???????? \| $sequence_11 = { 6858020000 8b45fc 052c010000 50 e8???????? eb02 } // n = 6, score = 100 // 6858020000 \| xor ebx, ebx // 8b45fc \| xor eax, eax // 052c010000 \| dec eax // 50 \| mov eax, dword ptr [ecx] // e8???????? \| // eb02 \| call dword ptr [eax + 0x28] $sequence_12 = { 8b45f8 ff30 e8???????? 83f800 0f847b000000 68cc020000 e8???????? } // n = 7, score = 100 // 8b45f8 \| push 0 // ff30 \| push 0x100 // e8???????? \| // 83f800 \| push 0 // 0f847b000000 \| push 0 // 68cc020000 \| mov dword ptr [ebp - 0x18], eax // e8???????? \| $sequence_13 = { e8???????? 8945e8 83f800 0f84a8000000 83f8ff 0f849f000000 8d45f8 } // n = 7, score = 100 // e8???????? \| // 8945e8 \| dec eax // 83f800 \| mov dword ptr [ebp + 7], ebx // 0f84a8000000 \| and dword ptr [esp + 0x58], 0 // 83f8ff \| dec eax // 0f849f000000 \| lea edx, [esp + 0x58] // 8d45f8 \| dec eax $sequence_14 = { 448d4260 e8???????? 33db 33c0 } // n = 4, score = 100 // 448d4260 \| dec eax // e8???????? \| // 33db \| and dword ptr [esp + 0x20], 0 // 33c0 \| and dword ptr [esp + 0x58], 0 $sequence_15 = { a3???????? 50 ff75fc e8???????? 58 c9 c3 } // n = 7, score = 100 // a3???????? \| // 50 \| mov ecx, eax // ff75fc \| dec eax // e8???????? \| // 58 \| mov esi, dword ptr [eax + 8] // c9 \| inc esp // c3 \| lea eax, [edx + 0x60] $sequence_16 = { 33c9 448bc8 897c2428 48895c2420 ff15???????? } // n = 5, score = 100 // 33c9 \| mov dword ptr [esp + 0x28], 4 // 448bc8 \| mov dword ptr [esp + 0x20], ebx // 897c2428 \| xor ecx, ecx // 48895c2420 \| mov edi, eax // ff15???????? \| $sequence_17 = { e8???????? 33c9 ff15???????? cc 488b5c2450 488b742460 } // n = 6, score = 100 // e8???????? \| // 33c9 \| xor eax, eax // ff15???????? \| // cc \| dec eax // 488b5c2450 \| lea ecx, [ebp - 0x1e] // 488b742460 \| xor edx, edx $sequence_18 = { e8???????? 488bce c745e770000000 c7451705000000 48895dff } // n = 5, score = 100 // e8???????? \| // 488bce \| dec eax // c745e770000000 \| mov ecx, esi // c7451705000000 \| mov dword ptr [ebp - 0x19], 0x70 // 48895dff \| mov dword ptr [ebp + 0x17], 5 $sequence_19 = { 33c9 ff15???????? 8bf8 8d5c0008 ff15???????? } // n = 5, score = 100 // 33c9 \| inc ebp // ff15???????? \| // 8bf8 \| xor eax, eax // 8d5c0008 \| xor ecx, ecx // ff15???????? \| $sequence_20 = { 50 ff7508 e8???????? 83c408 83f800 7506 31c0 } // n = 7, score = 100 // 50 \| cmp eax, esi // ff7508 \| je 0x81 // e8???????? \| // 83c408 \| dec esp // 83f800 \| lea ecx, [ebp - 0x29] // 7506 \| dec esp // 31c0 \| lea eax, [0x1d79] $sequence_21 = { 33c0 488d4de2 33d2 41b8ce070000 c744247068000000 c745ac01000000 66895db0 } // n = 7, score = 100 // 33c0 \| lea ebx, [eax + eax + 8] // 488d4de2 \| xor ecx, ecx // 33d2 \| inc esp // 41b8ce070000 \| mov ecx, eax // c744247068000000 \| mov dword ptr [esp + 0x28], edi // c745ac01000000 \| dec eax // 66895db0 \| mov dword ptr [esp + 0x20], ebx $sequence_22 = { 8945d8 6a01 e8???????? 6a00 8d45dc } // n = 5, score = 100 // 8945d8 \| cmp eax, 0 // 6a01 \| je 0xb4 // e8???????? \| // 6a00 \| cmp eax, -1 // 8d45dc \| je 0xb4 condition: 7 of them and filesize < 229376 }
[TLP:WHITE] win_sakula_rat_w0 (20170517 \| Sakula v1.0) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_sakula_rat_w0 { meta: description = "Sakula v1.0" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of ($m) and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w1 (20170517 \| Sakula v1.1) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w1 { meta: description = "Sakula v1.1" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of them }
[TLP:WHITE] win_sakula_rat_w2 (20170517 \| Sakula v1.2) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w2 { meta: description = "Sakula v1.2" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" $v1_2 = "CCPUpdate" condition: $m1 and $m2 and $m3 and $v1_2 and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w3 (20170517 \| Sakula v1.3) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w3 { meta: description = "Sakula v1.3" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 } condition: all of them }
[TLP:WHITE] win_sakula_rat_w4 (20170517 \| Sakula v1.4) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w4 { meta: description = "Sakula v1.4" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF } condition: all of them }

Sakula RAT Propose Change

References

Yara Rules

Sakula RAT