Malware Analysis Report

2025-01-02 02:49

Sample ID 241126-qznf7stldz
Target a243d82053a6a7e880649107ef6dfc02_JaffaCakes118
SHA256 0cbf50536e404fd114c560451877027033e8b98d4214cba3541d21563de14f5f
Tags
sakula discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cbf50536e404fd114c560451877027033e8b98d4214cba3541d21563de14f5f

Threat Level: Known bad

The file a243d82053a6a7e880649107ef6dfc02_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sakula discovery persistence rat trojan

Sakula

Sakula payload

Sakula family

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 13:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 13:42

Reported

2024-11-26 13:44

Platform

win7-20240729-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2236 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2236 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2236 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2236 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/2236-0-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 22918f5e960c91f8e7568faa7e7fe648
SHA1 1490c16730a0c68fbe98de58847ba6f900412874
SHA256 5489c0c8ac755fd95423f251983f5f9371252a81db239fe35d7f1be532716498
SHA512 8d0cc992ad91d92e75413d70b09f3b054122405389c7e5838beb096284ed8c993748c36e920a3e0424a682380fa9408f978fec89ff9e56385066aec18abfe3cb

memory/2236-9-0x00000000003C0000-0x00000000003DA000-memory.dmp

memory/2236-10-0x00000000003C0000-0x00000000003DA000-memory.dmp

memory/1216-11-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2236-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2236-13-0x00000000003C0000-0x00000000003DA000-memory.dmp

memory/2236-14-0x00000000003C0000-0x00000000003DA000-memory.dmp

memory/1216-15-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2236-23-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1216-29-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 13:42

Reported

2024-11-26 13:44

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a243d82053a6a7e880649107ef6dfc02_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
TH 184.22.175.13:80 tcp

Files

memory/2428-0-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9fb494b12cf918564c4ecdd2d65245f2
SHA1 232db589f0835d3c1abf5cba2df1b586f5e30971
SHA256 c7a5aad4cb6c39f99ae81e40aadf99a915744da0afec81d1b1b41f8464dba8d3
SHA512 40937b1e33fb57b02d5f9cf4f49fefbcb00a2db44406614f7c839dd54065e8209efddc36806014c66c6eb74ed60ca813e3912bb1384a683af28e8b80623e7841

memory/1280-5-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2428-6-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1280-8-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2428-14-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1280-19-0x0000000000400000-0x000000000041A000-memory.dmp