Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 09:18

General

  • Target

    a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe

  • Size

    92KB

  • MD5

    a13a17b39004d2d7cfddfdf593dde04d

  • SHA1

    bf09ba32f8b775fd22afc11627f3a9f8bbecf390

  • SHA256

    49ca89dc49848bf43c7689672f40d232d0910961cb5dd88d2157d1639f655a21

  • SHA512

    463fe3f9fae565f83bbdd12ffa5971a5b9c67dcc8fd56ad34a05b7e3612da66b6b900431492bfcf28144b6dc277f2c999fe273edadcee262d0661d05cecac098

  • SSDEEP

    1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtr2:9bfVk29te2jqxCEtg30Bq

Malware Config

Extracted

Family

sakula

C2

www.savmpet.com

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • Sakula payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

    Filesize

    92KB

    MD5

    8fe68e47e05790c652b71db60bc9eda3

    SHA1

    912a927c61ec2ff33e6b941ad3724612209802c5

    SHA256

    009feba01e631d4153c1d9bc3bde3d4ceaa1e7d9e494af86132a83c62530bae5

    SHA512

    b72ac1f7cfc786dac2e86cb984395b4d6b73fd89f082a40dbb2324db55f91635babfd1e74e2a3cd3e5d1e159079c7ed1588cb4e88b0cd8c7ae4166437087036a