Analysis
-
max time kernel
132s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
e180347578de3564e7dea536a9af509b_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e180347578de3564e7dea536a9af509b_JaffaCakes118.exe
-
Size
592KB
-
MD5
e180347578de3564e7dea536a9af509b
-
SHA1
3dd9e99d7088a1d54e5b43cd065a2b4d0b38ac13
-
SHA256
393d7ddd34d8d91c29a94de6f2c0a648deafd20c851d478e0073cd9430a96554
-
SHA512
b9dd2fc75a52abe9012ad588ba95ff4e61082689e701fb8e164f9149cbe5fcfc90452e99cc18a580173f231c9ed148a95ffeb5ec06329760cfb65ed50c2eff59
-
SSDEEP
12288:pANwRo+mv8QD4+0V1627qqB3AtJQFKUZE+RTnyL6FpUmWGPTXeBhcqlMhVkyoF8K:pAT8QE+kAqBTC+Zny0rSBh3SVtoFB
Malware Config
Extracted
redline
Live
18.118.84.99:1050
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000016d62-73.dat family_redline behavioral1/memory/2932-75-0x0000000000ED0000-0x0000000000EF2000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000016d62-73.dat family_sectoprat behavioral1/memory/2932-75-0x0000000000ED0000-0x0000000000EF2000-memory.dmp family_sectoprat -
Executes dropped EXE 4 IoCs
pid Process 2684 Setup.exe 2732 stats.exe 2880 stats.tmp 2932 SMart.exe -
Loads dropped DLL 6 IoCs
pid Process 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 2732 stats.exe 2880 stats.tmp 2880 stats.tmp 2880 stats.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 5 ipinfo.io -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe e180347578de3564e7dea536a9af509b_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe e180347578de3564e7dea536a9af509b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2684 Setup.exe 2684 Setup.exe 2684 Setup.exe 2880 stats.tmp 2880 stats.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2684 Setup.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2880 stats.tmp -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 332 wrote to memory of 2684 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 28 PID 332 wrote to memory of 2684 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 28 PID 332 wrote to memory of 2684 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 28 PID 332 wrote to memory of 2684 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 28 PID 332 wrote to memory of 2732 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 29 PID 332 wrote to memory of 2732 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 29 PID 332 wrote to memory of 2732 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 29 PID 332 wrote to memory of 2732 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 29 PID 332 wrote to memory of 2732 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 29 PID 332 wrote to memory of 2732 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 29 PID 332 wrote to memory of 2732 332 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 29 PID 2732 wrote to memory of 2880 2732 stats.exe 30 PID 2732 wrote to memory of 2880 2732 stats.exe 30 PID 2732 wrote to memory of 2880 2732 stats.exe 30 PID 2732 wrote to memory of 2880 2732 stats.exe 30 PID 2732 wrote to memory of 2880 2732 stats.exe 30 PID 2732 wrote to memory of 2880 2732 stats.exe 30 PID 2732 wrote to memory of 2880 2732 stats.exe 30 PID 2684 wrote to memory of 2932 2684 Setup.exe 32 PID 2684 wrote to memory of 2932 2684 Setup.exe 32 PID 2684 wrote to memory of 2932 2684 Setup.exe 32 PID 2684 wrote to memory of 2932 2684 Setup.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\SMart.exe"C:\Users\Admin\AppData\Local\Temp\SMart.exe"3⤵
- Executes dropped EXE
PID:2932
-
-
-
C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp" /SL5="$301F0,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2880
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5e4ce3b2f37e7ba8cdd28e00cb79c8db9
SHA15d74e57477afc66a0578d1227de9d9e28bd588d5
SHA256a13daef3e2de76cb00b9a746e75eaf1226fe5a2f2be98b80162c173b2005a33b
SHA5125b0fd9f3385768e9a3590aa908ea09caa9ca8cdd2c4e0f7064ceddd85c61df5c0144e6751394fa850dfd090377bd7c6701206fa52133c75486128443f99385f3
-
Filesize
116KB
MD52133233e31518892b3937fef038453ab
SHA1d30104d49b739a5c2b426f22c5068251959684d2
SHA25630057b4659a3b3ebc5e10e67f0f09511ecdd1a501cd2d3bfafc8c64518306e2b
SHA512848525726422a75d6a0821d4342a0443bf6113fc308d0c3f4157cf17664aecd22b53bf47083299556b83352b9ad55dfe587c1e03b01444eb9a457834601c0c1c
-
Filesize
380KB
MD5266395599ca5e0a6b0cb2fc0dea283b5
SHA1990164b2f7646b38fc8a4abf62c3cc1d64f8839d
SHA25699d12483e75a7615286e49e3df257033f8365431d57258ef763976cd1c2c2577
SHA5120637b8a1074dee57b3611c6594a0ee4259415538d39203c086d5d80eb5e01ef5e29205c692d1abeb7585c91a4efaa53083aa72ae1288713fab9767862350cf38
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
Filesize
694KB
MD5ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a