sakula | 869a349f7dcc69a13af993e6daa20a490fe0bffa44db15ffb6bc03cd1aa1adbd

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 18:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe
Size

35KB
MD5

31883f9b10fb4cac9fdb49438d3fd8e2
SHA1

c75c73eaa2329a884e150659155d8950d703b19a
SHA256

869a349f7dcc69a13af993e6daa20a490fe0bffa44db15ffb6bc03cd1aa1adbd
SHA512

65f114e45ccf2706b1e5883288d5b95d974a2debac21713307c973776b3f7898fb49d57ed2d33a846906ba0e62b4c0f935c0c2ded082eee997bd914fbc6cde85
SSDEEP

768:lwbYGCv4nuEcJpQK4TQbtKvXwXgA9lJJea+yGCJQqeWnAEv2647D4:lwbYP4nuEApQK4TQbtY2gA9DX+ytBOu

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

resource	yara_rule
behavioral2/memory/2860-6-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/3628-7-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/2860-11-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/3628-15-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3628	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3304	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2860	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3628	2860	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe	82
PID 2860 wrote to memory of 3628	2860	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe	82
PID 2860 wrote to memory of 3628	2860	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe	82
PID 2860 wrote to memory of 2804	2860	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe	92
PID 2860 wrote to memory of 2804	2860	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe	92
PID 2860 wrote to memory of 2804	2860	31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe	92
PID 2804 wrote to memory of 3304	2804	cmd.exe	94
PID 2804 wrote to memory of 3304	2804	cmd.exe	94
PID 2804 wrote to memory of 3304	2804	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\31883f9b10fb4cac9fdb49438d3fd8e2_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
35KB

MD5
e2056e9a35b1ce3cb4f416bf186b6b51

SHA1
e9288c4e121ece5ff04eb99dce65220016b8d7f6

SHA256
4fc2340f1565525174b0945363584b6e2642efd05c9ed9281df07b37a71a4912

SHA512
4efc5c8a0ec2e3de2e85534bd00de113e2e5eb9d3695ead0ea5b3ada4f1a09f75a195d1f0478702b38633bf2021bece311ebe1db7a0b03220fb389023afffb9a

Download Submit
memory/2860-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2860-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2860-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3628-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads