Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	1
Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	1
Sakula (3eca2d5f-41bf-4ad4-847f-df18befcdc44)	RAT	Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	1
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	Sakula - S0074 (96b08451-b27a-4ff6-893f-790e26393a8e)	Malware	2
Sakula RAT (e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b)	Malpedia	Sakula (f6c137f0-979c-4ce2-a0e5-2a080a5a1746)	Tool	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3