sakula | 49ca89dc49848bf43c7689672f40d232d0910961cb5dd88d2157d1639f655a21

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
Size

92KB
MD5

a13a17b39004d2d7cfddfdf593dde04d
SHA1

bf09ba32f8b775fd22afc11627f3a9f8bbecf390
SHA256

49ca89dc49848bf43c7689672f40d232d0910961cb5dd88d2157d1639f655a21
SHA512

463fe3f9fae565f83bbdd12ffa5971a5b9c67dcc8fd56ad34a05b7e3612da66b6b900431492bfcf28144b6dc277f2c999fe273edadcee262d0661d05cecac098
SSDEEP

1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtr2:9bfVk29te2jqxCEtg30Bq

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

www.savmpet.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 1 IoCs

resource	yara_rule
behavioral1/files/0x002f000000014b63-1.dat	family_sakula

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	AdobeUpdate.exe

Loads dropped DLL 4 IoCs

pid	Process
1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
1648	AdobeUpdate.exe
1648	AdobeUpdate.exe
1648	AdobeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2584	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1648	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2656	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2656	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2656	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2656	1996	a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2584	2656	cmd.exe	32
PID 2656 wrote to memory of 2584	2656	cmd.exe	32
PID 2656 wrote to memory of 2584	2656	cmd.exe	32
PID 2656 wrote to memory of 2584	2656	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

Filesize
92KB

MD5
8fe68e47e05790c652b71db60bc9eda3

SHA1
912a927c61ec2ff33e6b941ad3724612209802c5

SHA256
009feba01e631d4153c1d9bc3bde3d4ceaa1e7d9e494af86132a83c62530bae5

SHA512
b72ac1f7cfc786dac2e86cb984395b4d6b73fd89f082a40dbb2324db55f91635babfd1e74e2a3cd3e5d1e159079c7ed1588cb4e88b0cd8c7ae4166437087036a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads