Analysis
-
max time kernel
128s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 12:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe
Resource
win7-20240221-en
8 signatures
150 seconds
General
-
Target
e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe
-
Size
949KB
-
MD5
e28c1eb3901ebf8a350118119051a879
-
SHA1
499e2379b855f891b01d46375573b82f52eeaff8
-
SHA256
a19cee0f8d7ce055c99ddfd266c56af0856771e6ad5989b4bcc279cbd780b070
-
SHA512
610ebe54d3cc49754e7e91d2e96693ddb017e507367531824fc9b4a557625ea2a1d6afed6730a92517acf91111b3154323b9dbae0ecee3b9d61ed13c826a5129
-
SSDEEP
12288:AGRi/B4pVZi9702Hwi+b5bt+Bx9NmWnYSseiz6UOWqHh33rONpg3/IzsqLACkjgc:RzVZHi+bNENm8cxO/Br0O3/IHLd0
Malware Config
Extracted
Family
redline
Botnet
@Scrymix
C2
45.129.236.209:42801
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2396-12-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2396-14-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2396-18-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2396-21-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2396-23-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 7 IoCs
resource yara_rule behavioral1/memory/2396-12-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2396-14-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2396-18-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2396-21-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2396-23-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2396-25-0x0000000004D70000-0x0000000004DB0000-memory.dmp family_sectoprat behavioral1/memory/2396-27-0x0000000004D70000-0x0000000004DB0000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1644 set thread context of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe Token: SeDebugPrivilege 2396 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2388 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 30 PID 1644 wrote to memory of 2388 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 30 PID 1644 wrote to memory of 2388 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 30 PID 1644 wrote to memory of 2388 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 30 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2396 1644 e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe"2⤵PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e28c1eb3901ebf8a350118119051a879_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-