Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 12:21 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe
-
Size
17.3MB
-
MD5
1afbd223308a0b0f6b91f78a2761776b
-
SHA1
12c79907889dbf3d3709630d7bdf7a434fcd9c3f
-
SHA256
0d564cec7757d6674dddf43f0feff9d31a926c7fd65396864ff170b3471f06b6
-
SHA512
6123d38466e56897c52355ddc104735ceab968bad58b24ae3b659c74efb607397c644a29ec3bccc7a656f08085487f377ef74b92baa12666ac01a2defc6bb4cf
-
SSDEEP
196608:Bc9OvKxJo/Rps2SQ19lT5MkWHxiJdO94diELmIHOL34WQU3Zu/O:2ovKxRQ1fT5MkWHxiJgEduj4g3ZuO
Malware Config
Signatures
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/memory/2688-58-0x0000000000380000-0x0000000000BA8000-memory.dmp family_sectoprat behavioral1/memory/2688-59-0x0000000000380000-0x0000000000BA8000-memory.dmp family_sectoprat -
Sectoprat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ checking.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion checking.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion checking.exe -
Executes dropped EXE 3 IoCs
pid Process 2720 NordVPN.exe 2688 checking.exe 2988 NordVPN.exe -
Loads dropped DLL 2 IoCs
pid Process 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 2988 NordVPN.exe -
resource yara_rule behavioral1/files/0x0037000000018710-14.dat themida behavioral1/memory/2688-58-0x0000000000380000-0x0000000000BA8000-memory.dmp themida behavioral1/memory/2688-59-0x0000000000380000-0x0000000000BA8000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA checking.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2688 checking.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000c000000012243-9.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language checking.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2720 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 29 PID 2308 wrote to memory of 2720 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 29 PID 2308 wrote to memory of 2720 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 29 PID 2308 wrote to memory of 2688 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 31 PID 2308 wrote to memory of 2688 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 31 PID 2308 wrote to memory of 2688 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 31 PID 2308 wrote to memory of 2688 2308 JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe 31 PID 2720 wrote to memory of 2988 2720 NordVPN.exe 33 PID 2720 wrote to memory of 2988 2720 NordVPN.exe 33 PID 2720 wrote to memory of 2988 2720 NordVPN.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\ProgramData\NordVPN.exe"C:\ProgramData\NordVPN.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\ProgramData\NordVPN.exe"C:\ProgramData\NordVPN.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988
-
-
-
C:\Users\Admin\AppData\Local\Temp\checking.exe"C:\Users\Admin\AppData\Local\Temp\checking.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2688
-
Network
- No results found
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.6MB
MD5e1590f9efc426b3a73698a1270f759c1
SHA15f2b57e634061292f9aa309b82e466ebd916e494
SHA25604eaed269089988d200455b2d083f75e6b4e65d408bda3327384e743275113cd
SHA512fe1cdc5dc437cd64e38a72f1567d7ce11dfd980c7d4fcd013e9e6ad0cf08e7743f7c77c83ba1c0731cb011f33b5924ce13a8890722a901d02b88512d9bf42125
-
Filesize
4.3MB
MD51d5e4c20a20740f38f061bdf48aaca4f
SHA1de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0
SHA256f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366
SHA5129df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397
-
Filesize
3.0MB
MD56b7435cbc5c64eecf529312f969358de
SHA1eb69b8132bb7624626e5334bb23fe71b3b99cd7b
SHA256d8b92a8851ad6c7e63b80c83ef64821502333737bd1bf88ae6631a63e6f9f2e7
SHA512b170329259f60dccc4012c23cf12645b43e9be79f5bbcb0af817c05b862c683fe2c7358b74f1f14c7fd071f8cd21d220ad6c156ba37a695387e6c688fafc9978