Overview

overview

10

Static

static

10

JaffaCakes...32.exe

windows7-x64

10

JaffaCakes...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 00:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7e0b956ca817755b88a9eaca434d1f32.exe

  • Size

    191KB

  • MD5

    7e0b956ca817755b88a9eaca434d1f32

  • SHA1

    0d9c5617a265c8925843adef9aea75985872c2b1

  • SHA256

    47dea0c9b7c24438b99f48f2c68db6872cc2d1569db72533282c8734066eb21e

  • SHA512

    884bad9c4d6817b96625f35a0f1cd143754b3b73a1a7cb795cd2039c4f3cc7854e769ceb6b9b22be5aac4e4ca6d41c3347701e2cf1f47b703574bfc669ecefeb

  • SSDEEP

    1536:2oaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroZeBsCXKTnB:h0hpgz6xGhTjwHN30BE8BsZB

Score
10/10
sakuladiscoverypersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula family
    sakula
  • Sakula payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e0b956ca817755b88a9eaca434d1f32.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e0b956ca817755b88a9eaca434d1f32.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e0b956ca817755b88a9eaca434d1f32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    191KB

    MD5

    055be1f856f5ff6e5b43a49b435fdfa6

    SHA1

    e9ea8d021bdd164b5ffd461b7f3a6d50d7ca4419

    SHA256

    08c5b5700a451e5d742491ac35b33cec55de5d7b036c5ea7c7b8a528e818cfe1

    SHA512

    c97a7da51221ed640fee05313418fd283fcf349a92f0fc33e3716b96227f2810b04807fec479016e3e019307e8011f087424a8734ad583b57668cb8d06095f81

    Download Submit