Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
10/09/2024, 04:29
General
-
Target
d795d73097ce4c9d2d8214d89ae312df_JaffaCakes118.exe
-
Size
80KB
-
MD5
d795d73097ce4c9d2d8214d89ae312df
-
SHA1
c117b2479a42dd9a33d420414e2df82ae23e055c
-
SHA256
3fc82a1d4f6cde0cba0d97fc283901962538d7f971d91c6e23a2e9aa0cca7275
-
SHA512
2ecf1645a9d4b67202cf1e390c31be5e322b860d9e832cad6bf72541338a5b241ab57dfa0a707c921c37f4cd1bf5fb82c40c999dc54ade9ffc660454e967517b
-
SSDEEP
1536:/oaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtrov:A0hpgz6xGhTjwHN30BEv
Malware Config
Signatures
-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d795d73097ce4c9d2d8214d89ae312df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d795d73097ce4c9d2d8214d89ae312df_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d795d73097ce4c9d2d8214d89ae312df_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4300,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5ed04685dfc7aea06fc6ead4e8299e034
SHA15b75da6c7b3cfad0b82645cdd58813b74532d5b6
SHA2564e140690cdd3a71d7fc7dfc176f99f3ef2d4d93218d69156f08a68e28b7e8ee2
SHA512a5d7cd0518adbf098170ec6d9eb08fe50b56c959405a47a81430d23938de69dffeed816cd4606498356d3cf7c66bb5b84e3270c8318a95aec527fdbf0b90dc0d