Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe
-
Size
9.4MB
-
MD5
e275365c0a8684b5dce1b5b626cb8649
-
SHA1
fdb2e76b53e55f5083774349998815c598074e22
-
SHA256
f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
-
SHA512
3c8f459d5676274bd0e71e263abff0c8f582a8dc83acc3169aabe98ae6538e58162990c1c405bd81d1ef681451f52af5e17e78f589fffac94151fa05e69533d1
-
SSDEEP
196608:dlUuy1BuQSR82yCz4M2p9G3ZkOoh+vbXrKDfjOg/JsXHo4ba+:414QSNyCsG3iOzqWhH/bD
Malware Config
Signatures
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/memory/2864-39-0x0000000000190000-0x0000000000FCE000-memory.dmp family_sectoprat behavioral1/memory/2864-41-0x0000000000190000-0x0000000000FCE000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UpdateChecker.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UpdateChecker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UpdateChecker.exe -
Executes dropped EXE 2 IoCs
pid Process 2620 Snakyheaded.exe 2864 UpdateChecker.exe -
Loads dropped DLL 6 IoCs
pid Process 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x000c000000012241-5.dat themida behavioral1/memory/2864-39-0x0000000000190000-0x0000000000FCE000-memory.dmp themida behavioral1/memory/2864-41-0x0000000000190000-0x0000000000FCE000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UpdateChecker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2864 UpdateChecker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2620 Snakyheaded.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2864 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2864 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2864 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2864 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2864 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2864 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2864 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2620 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2620 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2620 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2620 2208 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe"C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD560da19010d8555edc5d5abf7520a0f6f
SHA1cd3494b05643b5cbe42796a00ce0502259c3483a
SHA2569ff2e5069461fdf638a4fa11c6a89ef53b5c65a74bb08dc0f16b46b885f67221
SHA512177dbefaacc714db3a35b112930dba02ff5725563dacde35dbc2ac5914888be302651caf4fe4239ba0b8ea719c29b409daec024cfbd4f91f09a11ce75d92f500
-
Filesize
5.4MB
MD5e3d6dc87f0151a02413405cf24679168
SHA1536c88ef259f430f9982159344878c714408aab0
SHA256473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
SHA51282d3dadcc267e0f5f9f31ade49084cc7b56ffc80861d7b124cb6e2e4ec64eceff7d6b02dd6117a342e3bff5045e66a38cae4a940ce6f3c7c6ee4cd90bb81f855