Sakula
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Some Sakula samples install themselves as services for persistence by calling WinExec with the |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[1] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Most Sakula samples maintain persistence by setting the Registry Run key |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Sakula uses single-byte XOR obfuscation to obfuscate many of its files.[1] |
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Sakula contains UAC bypass code for both 32- and 64-bit systems.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Some Sakula samples use cmd.exe to delete temporary files.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
Sakula calls cmd.exe to run various DLL files via rundll32.[1] |
| Enterprise | T1105 | 输入工具传输 | ||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0009 | Deep Panda |