Analysis

  • max time kernel
    122s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 08:29

General

  • Target

    2defd4fc35b6e5d9a8b926af9aa3b74e_JaffaCakes118.exe

  • Size

    4.0MB

  • MD5

    2defd4fc35b6e5d9a8b926af9aa3b74e

  • SHA1

    f705a3243b199fcbbbed79ff32bb704c52e05b2d

  • SHA256

    5dfcdab043ff09cab175f977444a871f1b5be457f665518e0f24194f74ff3927

  • SHA512

    14d001b080c58f08541e0b7003bfa7df3eff624deda253da4e3aa0c2a8e35cf5349f388881778289185351ecbda868ff98702e323cc9fd85315bc218340c6f07

  • SSDEEP

    24576:DF9mrnE2Z1y/6oTNBZrBEu8C7jnIQCwRO/wTGS5DBMY1:DD2Z1qT3Zz888QCwRO/wT/aY1

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • Sakula payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2defd4fc35b6e5d9a8b926af9aa3b74e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2defd4fc35b6e5d9a8b926af9aa3b74e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3852
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2defd4fc35b6e5d9a8b926af9aa3b74e_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

    Filesize

    4.0MB

    MD5

    cf83f0b17c66e3f32456731f6c997de8

    SHA1

    fe3f83a6b5414f5001b7072875467f9296e36a2c

    SHA256

    165bbd96cdf7105c88db13fd396dea95ab955f9bb3dc2cf56667404215ccaab0

    SHA512

    fd1065e2b4d61f7f0856d417aaec77aea60f147f6f59777e4918221f722487423bfd2aa8a7400c699c2de0b7b80a086d121f5215db24c1ed3272c2c3332e68bd