Skip to content

S0074 Sakula

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. 1

Item Value
ID S0074
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Sakula contains UAC bypass code for both 32- and 64-bit systems.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Sakula uses HTTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Sakula encodes C2 traffic with single-byte XOR keys.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee’s Outlook Scan About Box to load malicious DLL files.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Some Sakula samples use cmd.exe to delete temporary files.1
enterprise T1105 Ingress Tool Transfer Sakula has the capability to download files.1
enterprise T1027 Obfuscated Files or Information Sakula uses single-byte XOR obfuscation to obfuscate many of its files.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Sakula calls cmd.exe to run various DLL files via rundll32.1

Groups That Use This Software

ID Name References
G0009 Deep Panda 2


Back to top