Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3