Skip to content

Hide Navigation Hide TOC

Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

Cluster A Galaxy A Cluster B Galaxy B Level
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746) Tool Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44) RAT 1
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b) Malpedia Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44) RAT 1
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44) RAT 1
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746) Tool Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746) Tool Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b) Malpedia 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b) Malpedia Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e) Malware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3