Malware Analysis Report

2025-06-16 01:47

Sample ID 240406-nsl9fsaa66
Target e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118
SHA256 f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
Tags
sectoprat evasion rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48

Threat Level: Known bad

The file e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sectoprat evasion rat themida trojan

SectopRAT payload

SectopRAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 11:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 11:39

Reported

2024-04-06 11:42

Platform

win7-20240221-en

Max time kernel

141s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
PID 2208 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
PID 2208 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
PID 2208 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
PID 2208 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
PID 2208 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
PID 2208 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe

"C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"

C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe

"C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe"

Network

Country Destination Domain Proto
RU 185.215.113.83:60722 tcp
RU 185.215.113.83:60722 tcp
RU 185.215.113.83:60722 tcp
RU 185.215.113.83:60722 tcp
RU 185.215.113.83:60722 tcp
RU 185.215.113.83:60722 tcp

Files

\Users\Admin\AppData\Local\Temp\UpdateChecker.exe

MD5 e3d6dc87f0151a02413405cf24679168
SHA1 536c88ef259f430f9982159344878c714408aab0
SHA256 473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
SHA512 82d3dadcc267e0f5f9f31ade49084cc7b56ffc80861d7b124cb6e2e4ec64eceff7d6b02dd6117a342e3bff5045e66a38cae4a940ce6f3c7c6ee4cd90bb81f855

memory/2208-16-0x00000000031C0000-0x0000000003FFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe

MD5 60da19010d8555edc5d5abf7520a0f6f
SHA1 cd3494b05643b5cbe42796a00ce0502259c3483a
SHA256 9ff2e5069461fdf638a4fa11c6a89ef53b5c65a74bb08dc0f16b46b885f67221
SHA512 177dbefaacc714db3a35b112930dba02ff5725563dacde35dbc2ac5914888be302651caf4fe4239ba0b8ea719c29b409daec024cfbd4f91f09a11ce75d92f500

memory/2864-28-0x0000000000190000-0x0000000000FCE000-memory.dmp

memory/2208-17-0x00000000031D0000-0x000000000400E000-memory.dmp

memory/2620-29-0x0000000001130000-0x000000000151E000-memory.dmp

memory/2620-31-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/2864-33-0x0000000075860000-0x00000000758A7000-memory.dmp

memory/2864-34-0x00000000750B0000-0x00000000751C0000-memory.dmp

memory/2864-35-0x00000000750B0000-0x00000000751C0000-memory.dmp

memory/2864-36-0x0000000075860000-0x00000000758A7000-memory.dmp

memory/2864-37-0x00000000750B0000-0x00000000751C0000-memory.dmp

memory/2864-38-0x0000000077640000-0x0000000077642000-memory.dmp

memory/2864-40-0x00000000750B0000-0x00000000751C0000-memory.dmp

memory/2864-39-0x0000000000190000-0x0000000000FCE000-memory.dmp

memory/2864-41-0x0000000000190000-0x0000000000FCE000-memory.dmp

memory/2620-42-0x000000001C550000-0x000000001C8C4000-memory.dmp

memory/2620-43-0x0000000000CB0000-0x0000000000D30000-memory.dmp

memory/2620-45-0x0000000000CB0000-0x0000000000D30000-memory.dmp

memory/2208-47-0x00000000031D0000-0x000000000400E000-memory.dmp

memory/2864-48-0x0000000000190000-0x0000000000FCE000-memory.dmp

memory/2620-49-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/2864-50-0x0000000075860000-0x00000000758A7000-memory.dmp

memory/2864-51-0x00000000750B0000-0x00000000751C0000-memory.dmp

memory/2864-52-0x00000000750B0000-0x00000000751C0000-memory.dmp

memory/2864-53-0x00000000750B0000-0x00000000751C0000-memory.dmp

memory/2620-54-0x0000000000CB0000-0x0000000000D30000-memory.dmp

memory/2620-55-0x000000001C070000-0x000000001C3D6000-memory.dmp

memory/2620-56-0x0000000021190000-0x0000000021434000-memory.dmp

memory/2620-57-0x0000000000CB0000-0x0000000000D30000-memory.dmp

memory/2620-59-0x0000000000CB0000-0x0000000000D30000-memory.dmp

memory/2620-60-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 11:39

Reported

2024-04-06 11:42

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe

"C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"

C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe

"C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.83:60722 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.215.113.83:60722 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.215.113.83:60722 tcp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
RU 185.215.113.83:60722 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
RU 185.215.113.83:60722 tcp
RU 185.215.113.83:60722 tcp

Files

C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe

MD5 e3d6dc87f0151a02413405cf24679168
SHA1 536c88ef259f430f9982159344878c714408aab0
SHA256 473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
SHA512 82d3dadcc267e0f5f9f31ade49084cc7b56ffc80861d7b124cb6e2e4ec64eceff7d6b02dd6117a342e3bff5045e66a38cae4a940ce6f3c7c6ee4cd90bb81f855

C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe

MD5 60da19010d8555edc5d5abf7520a0f6f
SHA1 cd3494b05643b5cbe42796a00ce0502259c3483a
SHA256 9ff2e5069461fdf638a4fa11c6a89ef53b5c65a74bb08dc0f16b46b885f67221
SHA512 177dbefaacc714db3a35b112930dba02ff5725563dacde35dbc2ac5914888be302651caf4fe4239ba0b8ea719c29b409daec024cfbd4f91f09a11ce75d92f500

memory/3464-23-0x00000000000C0000-0x0000000000EFE000-memory.dmp

memory/1804-26-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

memory/1804-25-0x0000020022B30000-0x0000020022F1E000-memory.dmp

memory/3464-27-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-28-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-29-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-31-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-30-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-34-0x0000000077184000-0x0000000077186000-memory.dmp

memory/3464-35-0x00000000000C0000-0x0000000000EFE000-memory.dmp

memory/3464-36-0x00000000000C0000-0x0000000000EFE000-memory.dmp

memory/3464-37-0x0000000006050000-0x0000000006668000-memory.dmp

memory/3464-38-0x0000000005A50000-0x0000000005A62000-memory.dmp

memory/3464-39-0x0000000005B80000-0x0000000005C8A000-memory.dmp

memory/3464-40-0x0000000005AB0000-0x0000000005AEC000-memory.dmp

memory/3464-41-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/1804-42-0x000002003D3F0000-0x000002003D764000-memory.dmp

memory/1804-43-0x0000020024AB0000-0x0000020024AC0000-memory.dmp

memory/1804-44-0x0000020024AB0000-0x0000020024AC0000-memory.dmp

memory/3464-46-0x00000000000C0000-0x0000000000EFE000-memory.dmp

memory/1804-47-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

memory/3464-49-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-48-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-50-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/3464-51-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/1804-52-0x0000020024AB0000-0x0000020024AC0000-memory.dmp

memory/1804-53-0x000002003F910000-0x000002003FC76000-memory.dmp

memory/1804-54-0x000002003FC80000-0x000002003FF24000-memory.dmp

memory/1804-55-0x00000200403F0000-0x00000200408BC000-memory.dmp

memory/3464-56-0x0000000076BE0000-0x0000000076CD0000-memory.dmp

memory/1804-57-0x000002003FF40000-0x000002003FF52000-memory.dmp

memory/1804-59-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp