sectoprat | 3b2af503570f45503e471c89e657187eb6a0617f429624692cf5c7f88f6e6c7c

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 20:56

Target

f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe
Size

2.0MB
MD5

f44f6487cdadb019517a1216d7bd6505
SHA1

e862fe4206dff6b88d18b522b3b71cf1fd21c9e9
SHA256

3b2af503570f45503e471c89e657187eb6a0617f429624692cf5c7f88f6e6c7c
SHA512

fd84fae1e3e8d8056bf87eecaf2d68e280cca2cd57a9651c7a24793b72de678de5fc0637be9bd479a41185d4107f3b7b5bb57662285f51a4513f9cf8addc393a
SSDEEP

49152:07hkaliMtCWrymWI3WDpMbdubKGMpN0w4SDv9tiWSaL:wxCW1cfKGMpN0KUi

Score

10^/10

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2204-3-0x00000000013B0000-0x0000000001CD0000-memory.dmp	family_sectoprat
behavioral1/memory/2204-4-0x00000000013B0000-0x0000000001CD0000-memory.dmp	family_sectoprat
behavioral1/memory/2204-6-0x00000000013B0000-0x0000000001CD0000-memory.dmp	family_sectoprat

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2204	f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1748	2204	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2204	f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1748	2204	f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe	29
PID 2204 wrote to memory of 1748	2204	f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe	29
PID 2204 wrote to memory of 1748	2204	f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe	29
PID 2204 wrote to memory of 1748	2204	f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f44f6487cdadb019517a1216d7bd6505_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 784
  2⤵
  - Program crash
  PID:1748

memory/2204-0-0x00000000013B0000-0x0000000001CD0000-memory.dmp

Filesize
9.1MB

Download
memory/2204-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2204-3-0x00000000013B0000-0x0000000001CD0000-memory.dmp

Filesize
9.1MB

Download
memory/2204-2-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-4-0x00000000013B0000-0x0000000001CD0000-memory.dmp

Filesize
9.1MB

Download
memory/2204-5-0x0000000006500000-0x0000000006540000-memory.dmp

Filesize
256KB

Download
memory/2204-6-0x00000000013B0000-0x0000000001CD0000-memory.dmp

Filesize
9.1MB

Download
memory/2204-8-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2204-9-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-10-0x0000000006500000-0x0000000006540000-memory.dmp

Filesize
256KB

Download