Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 09:18

General

  • Target

    a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe

  • Size

    92KB

  • MD5

    a13a17b39004d2d7cfddfdf593dde04d

  • SHA1

    bf09ba32f8b775fd22afc11627f3a9f8bbecf390

  • SHA256

    49ca89dc49848bf43c7689672f40d232d0910961cb5dd88d2157d1639f655a21

  • SHA512

    463fe3f9fae565f83bbdd12ffa5971a5b9c67dcc8fd56ad34a05b7e3612da66b6b900431492bfcf28144b6dc277f2c999fe273edadcee262d0661d05cecac098

  • SSDEEP

    1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtr2:9bfVk29te2jqxCEtg30Bq

Malware Config

Extracted

Family

sakula

C2

www.savmpet.com

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • Sakula payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      2⤵
      • Executes dropped EXE
      PID:4868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

    Filesize

    92KB

    MD5

    0f75c9ff5a198013c5ee3e949bb75487

    SHA1

    d158ce3096c1f29a2780cc93e2913a9e50bff5a2

    SHA256

    a4b72b20158df18a3547fa0d1544bd1ad7314ad1ae9d594ba544be6e077b068b

    SHA512

    6ba0273b5b8a2449b77a01a79ceaaf0cade6d6372d6fc325bd414885a621296ad5e9f977667680c2955426717d345aa211be007a335da499c4047a8a68a68954