Overview

overview

10

Static

static

10

JaffaCakes...12.exe

windows7-x64

10

JaffaCakes...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2025, 20:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_d1abc3eb8ef2ea349269f836b8a65212.exe

  • Size

    168KB

  • MD5

    d1abc3eb8ef2ea349269f836b8a65212

  • SHA1

    9c6bdf06e06e0fdf98dca643c2c00eab2523a980

  • SHA256

    15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a

  • SHA512

    c963504403ec5656a8b88289d2d991dcd41d5e63b97586b2a07af329ec79fd76066e443c428b47a586c5cc11a46ceebaa1c4aae2bc51d029fbc06db76392f452

  • SSDEEP

    3072:M29DkEGRQixVSjLwes5G30Bg7uZwOuz/xS3iGpZMU:M29qRfVSndj30B3wBxE1+U

Score
10/10
sakuladiscoverypersistencerattrojan

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula family
    sakula
  • Sakula payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d1abc3eb8ef2ea349269f836b8a65212.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d1abc3eb8ef2ea349269f836b8a65212.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2376
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d1abc3eb8ef2ea349269f836b8a65212.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1964

Network

  • flag-us
    DNS
    www.polarroute.com
    MediaCenter.exe
    Remote address:
    8.8.8.8:53
    Request
    www.polarroute.com
    IN A
    Response
    www.polarroute.com
    IN A
    76.223.54.146
    www.polarroute.com
    IN A
    13.248.169.48
  • flag-us
    POST
    http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240630093
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /newimage.asp?imageid=fcqrowju805383798&type=0&resid=240630093 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Content-Length: 176
    Cache-Control: no-cache
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
  • flag-us
    GET
    http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240631484
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /photo/fcqrowju805383798.jpg?resid=240631484 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:30:13 GMT
    content-length: 130
  • flag-us
    GET
    http://www.polarroute.com/viewphoto.asp?resid=240631625&photoid=fcqrowju805383798
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /viewphoto.asp?resid=240631625&photoid=fcqrowju805383798 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:30:13 GMT
    content-length: 156
  • flag-us
    DNS
    60.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.153.16.2.in-addr.arpa
    IN PTR
    Response
    60.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-60deploystaticakamaitechnologiescom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.54.223.76.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.54.223.76.in-addr.arpa
    IN PTR
    Response
    146.54.223.76.in-addr.arpa
    IN PTR
    a904c694c05102f30awsglobalacceleratorcom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240662781
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /newimage.asp?imageid=fcqrowju805383798&type=0&resid=240662781 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Content-Length: 176
    Cache-Control: no-cache
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
  • flag-us
    GET
    http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240663031
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /photo/fcqrowju805383798.jpg?resid=240663031 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:30:44 GMT
    content-length: 130
  • flag-us
    GET
    http://www.polarroute.com/viewphoto.asp?resid=240663156&photoid=fcqrowju805383798
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /viewphoto.asp?resid=240663156&photoid=fcqrowju805383798 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:30:44 GMT
    content-length: 156
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    POST
    http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240694312
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /newimage.asp?imageid=fcqrowju805383798&type=0&resid=240694312 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Content-Length: 176
    Cache-Control: no-cache
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
  • flag-us
    GET
    http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240694562
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /photo/fcqrowju805383798.jpg?resid=240694562 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:31:16 GMT
    content-length: 130
  • flag-us
    GET
    http://www.polarroute.com/viewphoto.asp?resid=240694687&photoid=fcqrowju805383798
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /viewphoto.asp?resid=240694687&photoid=fcqrowju805383798 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:31:16 GMT
    content-length: 156
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240725843
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /newimage.asp?imageid=fcqrowju805383798&type=0&resid=240725843 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Content-Length: 176
    Cache-Control: no-cache
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
  • flag-us
    GET
    http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240726093
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /photo/fcqrowju805383798.jpg?resid=240726093 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:31:47 GMT
    content-length: 130
  • flag-us
    GET
    http://www.polarroute.com/viewphoto.asp?resid=240726234&photoid=fcqrowju805383798
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /viewphoto.asp?resid=240726234&photoid=fcqrowju805383798 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:31:48 GMT
    content-length: 156
  • flag-us
    POST
    http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240757390
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /newimage.asp?imageid=fcqrowju805383798&type=0&resid=240757390 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Content-Length: 176
    Cache-Control: no-cache
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
  • flag-us
    GET
    http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240757625
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /photo/fcqrowju805383798.jpg?resid=240757625 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:32:19 GMT
    content-length: 130
  • flag-us
    GET
    http://www.polarroute.com/viewphoto.asp?resid=240757765&photoid=fcqrowju805383798
    MediaCenter.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /viewphoto.asp?resid=240757765&photoid=fcqrowju805383798 HTTP/1.1
    User-Agent: iexplorer
    Host: www.polarroute.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 09 Jan 2025 20:32:19 GMT
    content-length: 156
  • 76.223.54.146:80
    http://www.polarroute.com/viewphoto.asp?resid=240631625&photoid=fcqrowju805383798
    http
    MediaCenter.exe
    1.1kB
     796 B
     11
    6

    HTTP Request

    POST http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240630093

    HTTP Response

    405

    HTTP Request

    GET http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240631484

    HTTP Response

    200

    HTTP Request

    GET http://www.polarroute.com/viewphoto.asp?resid=240631625&photoid=fcqrowju805383798

    HTTP Response

    200
  • 76.223.54.146:80
    http://www.polarroute.com/viewphoto.asp?resid=240663156&photoid=fcqrowju805383798
    http
    MediaCenter.exe
    1.1kB
     796 B
     10
    6

    HTTP Request

    POST http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240662781

    HTTP Response

    405

    HTTP Request

    GET http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240663031

    HTTP Response

    200

    HTTP Request

    GET http://www.polarroute.com/viewphoto.asp?resid=240663156&photoid=fcqrowju805383798

    HTTP Response

    200
  • 76.223.54.146:80
    http://www.polarroute.com/viewphoto.asp?resid=240694687&photoid=fcqrowju805383798
    http
    MediaCenter.exe
    1.1kB
     796 B
     10
    6

    HTTP Request

    POST http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240694312

    HTTP Response

    405

    HTTP Request

    GET http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240694562

    HTTP Response

    200

    HTTP Request

    GET http://www.polarroute.com/viewphoto.asp?resid=240694687&photoid=fcqrowju805383798

    HTTP Response

    200
  • 76.223.54.146:80
    http://www.polarroute.com/viewphoto.asp?resid=240726234&photoid=fcqrowju805383798
    http
    MediaCenter.exe
    1.1kB
     796 B
     10
    6

    HTTP Request

    POST http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240725843

    HTTP Response

    405

    HTTP Request

    GET http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240726093

    HTTP Response

    200

    HTTP Request

    GET http://www.polarroute.com/viewphoto.asp?resid=240726234&photoid=fcqrowju805383798

    HTTP Response

    200
  • 76.223.54.146:80
    http://www.polarroute.com/viewphoto.asp?resid=240757765&photoid=fcqrowju805383798
    http
    MediaCenter.exe
    1.0kB
     756 B
     9
    5

    HTTP Request

    POST http://www.polarroute.com/newimage.asp?imageid=fcqrowju805383798&type=0&resid=240757390

    HTTP Response

    405

    HTTP Request

    GET http://www.polarroute.com/photo/fcqrowju805383798.jpg?resid=240757625

    HTTP Response

    200

    HTTP Request

    GET http://www.polarroute.com/viewphoto.asp?resid=240757765&photoid=fcqrowju805383798

    HTTP Response

    200
  • 8.8.8.8:53
    www.polarroute.com
    dns
    MediaCenter.exe
    64 B
     96 B
     1
    1

    DNS Request

    www.polarroute.com

    DNS Response

    76.223.54.146
    13.248.169.48

  • 8.8.8.8:53
    60.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    60.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    146.54.223.76.in-addr.arpa
    dns
    72 B
     128 B
     1
    1

    DNS Request

    146.54.223.76.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    168KB

    MD5

    2ad7a6a578c199bfe4bdef09b4130517

    SHA1

    54251ded370d3bf8f3e8192df819e6b79df1e101

    SHA256

    80e59f5453d3a328eb880551711963537d1d99f23ca53c5af0dd6fb5b042deed

    SHA512

    95f48fede36b0db70f244bcf7f10b0c03bdc9e4e89cd5c5a6a6f7de268c9a4cb18443626e258b75e99a4b0f097e104b955e5a98dd7246d57097041dc3b2462fe

    Download Submit

  • memory/2376-4-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2376-19-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3412-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3412-10-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.