sectoprat | 0d564cec7757d6674dddf43f0feff9d31a926c7fd65396864ff170b3471f06b6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe
Size

17.3MB
MD5

1afbd223308a0b0f6b91f78a2761776b
SHA1

12c79907889dbf3d3709630d7bdf7a434fcd9c3f
SHA256

0d564cec7757d6674dddf43f0feff9d31a926c7fd65396864ff170b3471f06b6
SHA512

6123d38466e56897c52355ddc104735ceab968bad58b24ae3b659c74efb607397c644a29ec3bccc7a656f08085487f377ef74b92baa12666ac01a2defc6bb4cf
SSDEEP

196608:Bc9OvKxJo/Rps2SQ19lT5MkWHxiJdO94diELmIHOL34WQU3Zu/O:2ovKxRQ1fT5MkWHxiJgEduj4g3ZuO

Score

10^/10

sectoprat discovery evasion pyinstaller rat themida trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/5032-169-0x00000000000C0000-0x00000000008E8000-memory.dmp	family_sectoprat
behavioral2/memory/5032-170-0x00000000000C0000-0x00000000008E8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	checking.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	checking.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	checking.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe

Executes dropped EXE 3 IoCs

pid	Process
3972	NordVPN.exe
5032	checking.exe
4540	NordVPN.exe

Loads dropped DLL 16 IoCs

pid	Process
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe
4540	NordVPN.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000a000000023b84-40.dat	themida
behavioral2/memory/5032-169-0x00000000000C0000-0x00000000008E8000-memory.dmp	themida
behavioral2/memory/5032-170-0x00000000000C0000-0x00000000008E8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	checking.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5032	checking.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000b000000023b83-8.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	checking.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3972	4764	JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe	84
PID 4764 wrote to memory of 3972	4764	JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe	84
PID 4764 wrote to memory of 5032	4764	JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe	86
PID 4764 wrote to memory of 5032	4764	JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe	86
PID 4764 wrote to memory of 5032	4764	JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe	86
PID 3972 wrote to memory of 4540	3972	NordVPN.exe	88
PID 3972 wrote to memory of 4540	3972	NordVPN.exe	88
PID 4540 wrote to memory of 2172	4540	NordVPN.exe	89
PID 4540 wrote to memory of 2172	4540	NordVPN.exe	89
PID 4540 wrote to memory of 3124	4540	NordVPN.exe	90
PID 4540 wrote to memory of 3124	4540	NordVPN.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1afbd223308a0b0f6b91f78a2761776b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764
- C:\ProgramData\NordVPN.exe
  "C:\ProgramData\NordVPN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\ProgramData\NordVPN.exe
    "C:\ProgramData\NordVPN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c title [NordVPN]
      4⤵
      PID:2172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3124
- C:\Users\Admin\AppData\Local\Temp\checking.exe
  "C:\Users\Admin\AppData\Local\Temp\checking.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NordVPN.exe

Filesize
8.6MB

MD5
e1590f9efc426b3a73698a1270f759c1

SHA1
5f2b57e634061292f9aa309b82e466ebd916e494

SHA256
04eaed269089988d200455b2d083f75e6b4e65d408bda3327384e743275113cd

SHA512
fe1cdc5dc437cd64e38a72f1567d7ce11dfd980c7d4fcd013e9e6ad0cf08e7743f7c77c83ba1c0731cb011f33b5924ce13a8890722a901d02b88512d9bf42125

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\VCRUNTIME140.dll

Filesize
94KB

MD5
18049f6811fc0f94547189a9e104f5d2

SHA1
dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

SHA256
c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

SHA512
38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_bz2.pyd

Filesize
84KB

MD5
a991152fd5b8f2a0eb6c34582adf7111

SHA1
3589342abea22438e28aa0a0a86e2e96e08421a1

SHA256
7301fc2447e7e6d599472d2c52116fbe318a9ff9259b8a85981c419bfd20e3ef

SHA512
f039ac9473201d27882c0c11e5628a10bdbe5b4c9b78ead246fd53f09d25e74c984e9891fccbc27c63edc8846d5e70f765ca7b77847a45416675d2e7c04964fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_ctypes.pyd

Filesize
124KB

MD5
7322f8245b5c8551d67c337c0dc247c9

SHA1
5f4cb918133daa86631211ae7fa65f26c23fcc98

SHA256
4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

SHA512
52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_hashlib.pyd

Filesize
64KB

MD5
88e2bf0a590791891fb5125ffcf5a318

SHA1
39f96abbabf3fdd46844ba5190d2043fb8388696

SHA256
e7aecb61a54dcc77b6d9cafe9a51fd1f8d78b2194cc3baf6304bbd1edfd0aee6

SHA512
7d91d2fa95bb0ffe92730679b9a82e13a3a6b9906b2c7f69bc9065f636a20be65e1d6e7a557bfd6e4b80edd0f00db92eb7fea06345c2c9b98176c65d18c4bdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_lzma.pyd

Filesize
159KB

MD5
cdd13b537dad6a910cb9cbb932770dc9

SHA1
b37706590d5b6f18c042119d616df6ff8ce3ad46

SHA256
638cd8c336f90629a6260e67827833143939497d542838846f4fc94b2475bb3e

SHA512
c375fb6914cda3ae7829d016d3084f3b5b9f78f200a62f076ec1646576f87694eec7fa6f1c99cbe30824f2fe6e2d61ecdeb50061383b12143cd2678004703199

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_queue.pyd

Filesize
28KB

MD5
f19d9a56df14aea465e7ead84751ea5f

SHA1
f170ccbeb8fb4a1e0fe56f9a7c20ae4c1a48e4a9

SHA256
17ccd37dfba38bba706189d12ed28ca32c7330cc60db7bf203bf7198287073e4

SHA512
2b69a11026bf4fe3792082d57eaf3b24713e7bd44dfd61ccaa6e5adb6771e49b6c81c1b542fbb159c9055db9739b9c4473a856914c72683a2a4cf658d6d7a469

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_socket.pyd

Filesize
78KB

MD5
478abd499eefeba3e50cfc4ff50ec49d

SHA1
fe1aae16b411a9c349b0ac1e490236d4d55b95b2

SHA256
fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb

SHA512
475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_ssl.pyd

Filesize
151KB

MD5
cf7886b3ac590d2ea1a6efe4ee47dc20

SHA1
8157a0c614360162588f698a2b0a4efe321ea427

SHA256
3d183c1b3a24d634387cce3835f58b8e1322bf96ab03f9fe9f02658fb17d1f8c

SHA512
b171f7d683621fdab5989bfed20c3f6479037035f334ea9a19feb1184f46976095a7666170a06f1258c6ddf2c1f8bdb4e31cbfd33d3b8fa4b330f097d1c09d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\base_library.zip

Filesize
763KB

MD5
c6b38adf85add9f9a7ea0b67eea508b4

SHA1
23a398ffdae6047d9777919f7b6200dd2a132887

SHA256
77479f65578cf9710981255a3ad5495d45f8367b2f43c2f0680fce0fed0e90fb

SHA512
d6abc793a7b6cc6138b50305a8c1cad10fa1628ca01a2284d82222db9bd1569959b05bdf4581d433ff227438131e43eec98bf265e746b17e76b1c9e9e21d447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\libssl-1_1.dll

Filesize
674KB

MD5
50bcfb04328fec1a22c31c0e39286470

SHA1
3a1b78faf34125c7b8d684419fa715c367db3daa

SHA256
fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9

SHA512
370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\python3.dll

Filesize
58KB

MD5
ea3cd6ac4992ce465ee33dd168a9aad1

SHA1
158d9f8935c2bd20c90175164e6ca861a1dfeedb

SHA256
201f32a2492b18956969dc0417e2ef0ff14fdbf57fb07d77864ed36286170710

SHA512
ebae7c4d134a2db79938c219fa0156b32ec2b9a57a92877e9283ce19d36b40bf7048ca4d9743e1a1d811f6cb1c7339a6dd53c48df81838e5c962be39bf6d5d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\select.pyd

Filesize
28KB

MD5
fed3dae56f7c9ea35d2e896fede29581

SHA1
ae5b2ef114138c4d8a6479d6441967c170c5aa23

SHA256
d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931

SHA512
3128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\unicodedata.pyd

Filesize
1.1MB

MD5
cd12c15c6eef60d9ea058cd4092e5d1b

SHA1
57a7c0b0468f0be8e824561b45f86e0aa0db28dd

SHA256
e3ab6e5749a64e04ee8547f71748303ba159dd68dfc402cb69356f35e645badd

SHA512
514e76174f977cc73300bc40ff170007a444e743a39947d5e2f76e60b2a149c16d57b42b6a82a7fea8dd4e9addb3e876d8ab50ea1898ee896c1907667277cf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\checking.exe

Filesize
3.0MB

MD5
6b7435cbc5c64eecf529312f969358de

SHA1
eb69b8132bb7624626e5334bb23fe71b3b99cd7b

SHA256
d8b92a8851ad6c7e63b80c83ef64821502333737bd1bf88ae6631a63e6f9f2e7

SHA512
b170329259f60dccc4012c23cf12645b43e9be79f5bbcb0af817c05b862c683fe2c7358b74f1f14c7fd071f8cd21d220ad6c156ba37a695387e6c688fafc9978

Download Submit
memory/4764-132-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/4764-0-0x00007FFC0E973000-0x00007FFC0E975000-memory.dmp

Filesize
8KB

Download
memory/4764-3-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/4764-2-0x000000001D660000-0x000000001E1DE000-memory.dmp

Filesize
11.5MB

Download
memory/4764-1-0x0000000000650000-0x0000000001792000-memory.dmp

Filesize
17.3MB

Download
memory/5032-131-0x00000000000C0000-0x00000000008E8000-memory.dmp

Filesize
8.2MB

Download
memory/5032-169-0x00000000000C0000-0x00000000008E8000-memory.dmp

Filesize
8.2MB

Download
memory/5032-170-0x00000000000C0000-0x00000000008E8000-memory.dmp

Filesize
8.2MB

Download
memory/5032-171-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/5032-172-0x00000000054E0000-0x00000000054F2000-memory.dmp

Filesize
72KB

Download
memory/5032-173-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/5032-174-0x0000000005540000-0x000000000557C000-memory.dmp

Filesize
240KB

Download
memory/5032-175-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download
memory/5032-177-0x00000000000C0000-0x00000000008E8000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads