Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
e180347578de3564e7dea536a9af509b_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e180347578de3564e7dea536a9af509b_JaffaCakes118.exe
-
Size
592KB
-
MD5
e180347578de3564e7dea536a9af509b
-
SHA1
3dd9e99d7088a1d54e5b43cd065a2b4d0b38ac13
-
SHA256
393d7ddd34d8d91c29a94de6f2c0a648deafd20c851d478e0073cd9430a96554
-
SHA512
b9dd2fc75a52abe9012ad588ba95ff4e61082689e701fb8e164f9149cbe5fcfc90452e99cc18a580173f231c9ed148a95ffeb5ec06329760cfb65ed50c2eff59
-
SSDEEP
12288:pANwRo+mv8QD4+0V1627qqB3AtJQFKUZE+RTnyL6FpUmWGPTXeBhcqlMhVkyoF8K:pAT8QE+kAqBTC+Zny0rSBh3SVtoFB
Malware Config
Extracted
redline
Live
18.118.84.99:1050
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023399-65.dat family_redline behavioral2/memory/400-136-0x0000000000160000-0x0000000000182000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023399-65.dat family_sectoprat behavioral2/memory/400-136-0x0000000000160000-0x0000000000182000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation e180347578de3564e7dea536a9af509b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation Setup.exe -
Executes dropped EXE 4 IoCs
pid Process 3772 Setup.exe 4376 stats.exe 3156 stats.tmp 400 SMart.exe -
Loads dropped DLL 2 IoCs
pid Process 3156 stats.tmp 3156 stats.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ipinfo.io 22 ipinfo.io -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe e180347578de3564e7dea536a9af509b_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe e180347578de3564e7dea536a9af509b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Setup.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3772 Setup.exe 3772 Setup.exe 3772 Setup.exe 3772 Setup.exe 3156 stats.tmp 3156 stats.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3772 Setup.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3156 stats.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3460 wrote to memory of 3772 3460 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 96 PID 3460 wrote to memory of 3772 3460 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 96 PID 3460 wrote to memory of 4376 3460 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 97 PID 3460 wrote to memory of 4376 3460 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 97 PID 3460 wrote to memory of 4376 3460 e180347578de3564e7dea536a9af509b_JaffaCakes118.exe 97 PID 4376 wrote to memory of 3156 4376 stats.exe 98 PID 4376 wrote to memory of 3156 4376 stats.exe 98 PID 4376 wrote to memory of 3156 4376 stats.exe 98 PID 3772 wrote to memory of 400 3772 Setup.exe 100 PID 3772 wrote to memory of 400 3772 Setup.exe 100 PID 3772 wrote to memory of 400 3772 Setup.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\SMart.exe"C:\Users\Admin\AppData\Local\Temp\SMart.exe"3⤵
- Executes dropped EXE
PID:400
-
-
-
C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp" /SL5="$901F8,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3156
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:81⤵PID:1072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5e4ce3b2f37e7ba8cdd28e00cb79c8db9
SHA15d74e57477afc66a0578d1227de9d9e28bd588d5
SHA256a13daef3e2de76cb00b9a746e75eaf1226fe5a2f2be98b80162c173b2005a33b
SHA5125b0fd9f3385768e9a3590aa908ea09caa9ca8cdd2c4e0f7064ceddd85c61df5c0144e6751394fa850dfd090377bd7c6701206fa52133c75486128443f99385f3
-
Filesize
380KB
MD5266395599ca5e0a6b0cb2fc0dea283b5
SHA1990164b2f7646b38fc8a4abf62c3cc1d64f8839d
SHA25699d12483e75a7615286e49e3df257033f8365431d57258ef763976cd1c2c2577
SHA5120637b8a1074dee57b3611c6594a0ee4259415538d39203c086d5d80eb5e01ef5e29205c692d1abeb7585c91a4efaa53083aa72ae1288713fab9767862350cf38
-
Filesize
116KB
MD52133233e31518892b3937fef038453ab
SHA1d30104d49b739a5c2b426f22c5068251959684d2
SHA25630057b4659a3b3ebc5e10e67f0f09511ecdd1a501cd2d3bfafc8c64518306e2b
SHA512848525726422a75d6a0821d4342a0443bf6113fc308d0c3f4157cf17664aecd22b53bf47083299556b83352b9ad55dfe587c1e03b01444eb9a457834601c0c1c
-
Filesize
694KB
MD5ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
Filesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df