Malware Analysis Report

2025-01-02 02:49

Sample ID 241127-fnrdlsvnhp
Target a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118
SHA256 43c1fc43939bfc76e72be7921eea9fae53bb5426f94df50ec02e543b44c662e9
Tags
sakula discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43c1fc43939bfc76e72be7921eea9fae53bb5426f94df50ec02e543b44c662e9

Threat Level: Known bad

The file a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sakula discovery persistence rat trojan

Sakula payload

Sakula

Sakula family

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 05:01

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 05:01

Reported

2024-11-27 05:04

Platform

win7-20240903-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2148 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2148 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2148 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2148 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2472 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2472 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2472 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 86b46d2831339f7361a3dbc03cc11d91
SHA1 0ce3e33db362235d47a9a906c8947881b29bf9fc
SHA256 51d3fe899d4e8c34ec2274ffc625b40c60d4b7185e92204c1a15046a4d0f9fe1
SHA512 afe9532d1512cc0c04b1f0b17b63c1148c3681417798298c59d0cc827e1f7e838c3f1e1f9c874f78a78aaebc9d8378e62d9c39032f361ba808b1a6a21e54e963

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 05:01

Reported

2024-11-27 05:04

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a608a91ec75ba9dfd37d4c0e01c7858c_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 fe6b8a5149977d80c89dce6d672af880
SHA1 b1f10c7a76bc9bd55c2d355874c4efa5b31da336
SHA256 d0b9b331c511e98e870f9684608baeaeb37909debb2e88c851c61c2df01a70bb
SHA512 cc13d34b6f28306fec43deeab950fc5d9893cf67c7fa723217ddb64b42752dfa253ef8c0d4ffadc9462ffd096d7ea80540bd17b3e8fe228736362538ed8f103d