{
	"id": "12b3fde8-4bca-4a69-a632-c4fbb17388ea",
	"created_at": "2026-04-06T00:11:12.653234Z",
	"updated_at": "2026-04-10T03:21:43.248063Z",
	"deleted_at": null,
	"sha1_hash": "dfb9f12e853e6941c7c4805251baa4fa70184ed0",
	"title": "SonicALERT: CVE 2014-0322 Malware - Sakurel (Feb 21, 2014)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125441,
	"plain_text": "SonicALERT: CVE 2014-0322 Malware - Sakurel (Feb 21, 2014)\r\nArchived: 2026-04-02 11:05:16 UTC\r\nDell SonicWALL Security Center\r\nBack to SonicALERT\r\nCVE 2014-0322 Malware - Sakurel (Feb 21, 2014)\r\nDescription\r\nThe Dell SonicWall Threats Research Team has spotted the latest malware being served in the recent CVE 2014-0322\r\nattack. We have already shared our analysis on the exploit behavior so we will now discuss the behavior of the malware\r\npayload, Sakurel.\r\nThis malware has many features and contains multiple levels of embedded files. The malware ultimately seeks to steal\r\ninformation and provide a backdoor to the infected system, and uses different modules to accomplish its tasks.\r\nThe file that gets dropped after exploitation, 'stream.exe', has fairly basic dropper behavior. The file contains an XOR-encoded binary which gets decoded and executed in memory.\r\nhttps://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=654\r\nPage 1 of 5\n\nThe decoded malware contains additional embedded modules, including one that provides for privilege escalation if the\r\ncurrent user is not an administrator.\r\nAfter checking if the current process is running as an administrator, the escalation module is extracted and dropped with\r\na .dat extension, then executed via 'rundll32'.\r\nhttps://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=654\r\nPage 2 of 5\n\nThis DLL contains a well-known technique for escalating user privileges via the 'sysprep' tool. This uses a UAC bypass\r\nwhich affects 32-bit versions Windows 7 and Windows 8.\r\nOnce the malware has administrator privileges, it extracts an OCX file from its resources and moves a copy of its\r\noriginal dropped incarnation into \"MicroMedia\" underneath \"%APPDATA%\\Local\\Temp\" and creates the following\r\nregistry key to execute when the system boots up:\r\nhttps://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=654\r\nPage 3 of 5\n\nComputer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroMedia:\r\n%APPDATA%\\Local\\Temp\\MicroMedia\\MediaCenter.exe\r\nOnce the malware has acquired sufficient access and achieved peristence on the machine, the Windows 'hosts' file is\r\nmodified to redirect a number of domains to IP addresses controlled by the attackers. These strings from the binary\r\nshow the domains the attackers are redirecting:\r\nThe following strings, which include command and control domains and paths, are encoded in the binary with the XOR\r\nkey 0x56:\r\nOverall the main motive of this malware is to steal user credentials from the targeted domains. The malware also\r\nprovides full backdoor access to the system via the command and control structure. We will continue to monitor this\r\nthreat and provide updates on its capabilities.\r\nDell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:\r\nGAV: Sakurel.EX (Trojan)\r\nBack to top\r\nBack to SonicALERT\r\nhttps://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=654\r\nPage 4 of 5\n\nSource: https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=654\r\nhttps://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=654\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=654"
	],
	"report_names": [
		"searchresults.aspx?ev=article\u0026id=654"
	],
	"threat_actors": [],
	"ts_created_at": 1775434272,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dfb9f12e853e6941c7c4805251baa4fa70184ed0.pdf",
		"text": "https://archive.orkl.eu/dfb9f12e853e6941c7c4805251baa4fa70184ed0.txt",
		"img": "https://archive.orkl.eu/dfb9f12e853e6941c7c4805251baa4fa70184ed0.jpg"
	}
}