Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3