Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2024, 12:21 UTC

General

  • Target

    JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe

  • Size

    17.3MB

  • MD5

    1afbd223308a0b0f6b91f78a2761776b

  • SHA1

    12c79907889dbf3d3709630d7bdf7a434fcd9c3f

  • SHA256

    0d564cec7757d6674dddf43f0feff9d31a926c7fd65396864ff170b3471f06b6

  • SHA512

    6123d38466e56897c52355ddc104735ceab968bad58b24ae3b659c74efb607397c644a29ec3bccc7a656f08085487f377ef74b92baa12666ac01a2defc6bb4cf

  • SSDEEP

    196608:Bc9OvKxJo/Rps2SQ19lT5MkWHxiJdO94diELmIHOL34WQU3Zu/O:2ovKxRQ1fT5MkWHxiJgEduj4g3ZuO

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Sectoprat family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\ProgramData\NordVPN.exe
      "C:\ProgramData\NordVPN.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\ProgramData\NordVPN.exe
        "C:\ProgramData\NordVPN.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2988
    • C:\Users\Admin\AppData\Local\Temp\checking.exe
      "C:\Users\Admin\AppData\Local\Temp\checking.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2688

Network

    No results found
  • 195.245.113.122:80
    checking.exe
    152 B
    3
  • 195.245.113.122:80
    checking.exe
    152 B
    3
  • 195.245.113.122:80
    checking.exe
    152 B
    3
  • 195.245.113.122:80
    checking.exe
    152 B
    3
  • 195.245.113.122:80
    checking.exe
    152 B
    3
  • 195.245.113.122:80
    checking.exe
    152 B
    3
  • 195.245.113.122:80
    checking.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\NordVPN.exe

    Filesize

    8.6MB

    MD5

    e1590f9efc426b3a73698a1270f759c1

    SHA1

    5f2b57e634061292f9aa309b82e466ebd916e494

    SHA256

    04eaed269089988d200455b2d083f75e6b4e65d408bda3327384e743275113cd

    SHA512

    fe1cdc5dc437cd64e38a72f1567d7ce11dfd980c7d4fcd013e9e6ad0cf08e7743f7c77c83ba1c0731cb011f33b5924ce13a8890722a901d02b88512d9bf42125

  • C:\Users\Admin\AppData\Local\Temp\_MEI27202\python39.dll

    Filesize

    4.3MB

    MD5

    1d5e4c20a20740f38f061bdf48aaca4f

    SHA1

    de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

    SHA256

    f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

    SHA512

    9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

  • C:\Users\Admin\AppData\Local\Temp\checking.exe

    Filesize

    3.0MB

    MD5

    6b7435cbc5c64eecf529312f969358de

    SHA1

    eb69b8132bb7624626e5334bb23fe71b3b99cd7b

    SHA256

    d8b92a8851ad6c7e63b80c83ef64821502333737bd1bf88ae6631a63e6f9f2e7

    SHA512

    b170329259f60dccc4012c23cf12645b43e9be79f5bbcb0af817c05b862c683fe2c7358b74f1f14c7fd071f8cd21d220ad6c156ba37a695387e6c688fafc9978

  • memory/2308-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

    Filesize

    4KB

  • memory/2308-1-0x000000013F090000-0x00000001401D2000-memory.dmp

    Filesize

    17.3MB

  • memory/2308-2-0x000000001BE70000-0x000000001C9EE000-memory.dmp

    Filesize

    11.5MB

  • memory/2308-6-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

    Filesize

    9.9MB

  • memory/2308-31-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

    Filesize

    9.9MB

  • memory/2688-30-0x0000000000380000-0x0000000000BA8000-memory.dmp

    Filesize

    8.2MB

  • memory/2688-58-0x0000000000380000-0x0000000000BA8000-memory.dmp

    Filesize

    8.2MB

  • memory/2688-59-0x0000000000380000-0x0000000000BA8000-memory.dmp

    Filesize

    8.2MB

  • memory/2688-94-0x0000000000380000-0x0000000000BA8000-memory.dmp

    Filesize

    8.2MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.