Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	2
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3