sakula | 7447543f4b7f45a231d2160a034db4b2634e1dccca4d57fb4b63f8398a625598

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 10:27

Target

07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe
Size

35KB
MD5

07f6900b7f4e6669133b8aaa5fc5f497
SHA1

26b32c44b9f5f7ac1ba14af1f339773dee49e129
SHA256

7447543f4b7f45a231d2160a034db4b2634e1dccca4d57fb4b63f8398a625598
SHA512

b81b44a238d0067e5f4b5352bbd36a5c26310dedfffa994a4a885dbd65300c6c0098df78eca0109593080af31fc818379fbb4fca170fce04813195714612aa15
SSDEEP

768:lwbYGCv4nuEcJpQK4TQbtKvXwXgA9lJJea+yGCJQqeWnAEv2647DG:lwbYP4nuEApQK4TQbtY2gA9DX+ytBOY

Score

10^/10

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1836-11-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral1/memory/3068-12-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral1/memory/1836-13-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral1/memory/3068-20-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral1/memory/1836-29-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2836 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1836 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

pid process

3068 07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe
3068 07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

pid	process
2836	cmd.exe

pid	process
1836	MediaCenter.exe

pid	process
3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe
3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2860 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

description pid process

Token: SeIncBasePriorityPrivilege 3068 07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

pid	process
2860	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 1836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	MediaCenter.exe
PID 3068 wrote to memory of 1836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	MediaCenter.exe
PID 3068 wrote to memory of 1836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	MediaCenter.exe
PID 3068 wrote to memory of 1836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	MediaCenter.exe
PID 3068 wrote to memory of 2836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	cmd.exe
PID 3068 wrote to memory of 2836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	cmd.exe
PID 3068 wrote to memory of 2836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	cmd.exe
PID 3068 wrote to memory of 2836	3068	07f6900b7f4e6669133b8aaa5fc5f497_JaffaCakes118.exe	cmd.exe
PID 2836 wrote to memory of 2860	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 2860	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 2860	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 2860	2836	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1836

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
35KB

MD5
dcf9894187bcfe39c637053b2cc23ba6

SHA1
41d285d5db72d8b999e43b707f856fb66957c4b9

SHA256
379770ec0f3ea859784e8562ea73147d8dd7c212c16bd9ae6a8b592a6cb410d8

SHA512
3950cefc3d6b66aeeb7fda15dbdfa2cc8d9a446ea3b9cf93980eb751b54cc5c8068b62c2b21a59642a7741e932e938230ae094b8af33107007ef92b98699964a

Download Submit
memory/1836-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1836-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1836-29-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3068-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3068-9-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/3068-8-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/3068-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3068-14-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/3068-17-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/3068-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download