Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 15:04
Static task
static1
Behavioral task
behavioral1
Sample
e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
e2cdbe43745e8ef737fded5c21bfd162
-
SHA1
533fc6c2aecaeca8211277ffa74d055fb7eb45fc
-
SHA256
71d3b36be058908e96750ba536922bb0748c3b3dabe78dfc9276bed4b01ea0e6
-
SHA512
927271572c1db35a050d1a7cf0ad85745d812a5e068f3c25b6d83e60182a46816b7655e0e52aec3dc355830514d7c43b86dfe06c5d5c7cbc3283199f467efd8f
-
SSDEEP
49152:n5+hFCyngKZOwMTUeAsGO/um1/9ve6lIXSOOCPxiz8lVHTIioOFZQ+X:n5aFpZOwMQl7aFlf2xiqZ7X
Malware Config
Extracted
redline
@Kypidss
45.14.49.109:21295
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0005000000018698-91.dat family_redline behavioral1/memory/2680-92-0x0000000000370000-0x000000000038E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0005000000018698-91.dat family_sectoprat behavioral1/memory/2680-92-0x0000000000370000-0x000000000038E000-memory.dmp family_sectoprat -
Executes dropped EXE 11 IoCs
pid Process 2704 7z.exe 2716 7z.exe 2640 7z.exe 2660 7z.exe 2596 7z.exe 2364 7z.exe 2480 7z.exe 2972 7z.exe 1032 7z.exe 1808 7z.exe 2680 @Kypidss.exe -
Loads dropped DLL 20 IoCs
pid Process 2844 cmd.exe 2704 7z.exe 2844 cmd.exe 2716 7z.exe 2844 cmd.exe 2640 7z.exe 2844 cmd.exe 2660 7z.exe 2844 cmd.exe 2596 7z.exe 2844 cmd.exe 2364 7z.exe 2844 cmd.exe 2480 7z.exe 2844 cmd.exe 2972 7z.exe 2844 cmd.exe 1032 7z.exe 2844 cmd.exe 1808 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2680 @Kypidss.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeRestorePrivilege 2704 7z.exe Token: 35 2704 7z.exe Token: SeSecurityPrivilege 2704 7z.exe Token: SeSecurityPrivilege 2704 7z.exe Token: SeRestorePrivilege 2716 7z.exe Token: 35 2716 7z.exe Token: SeSecurityPrivilege 2716 7z.exe Token: SeSecurityPrivilege 2716 7z.exe Token: SeRestorePrivilege 2640 7z.exe Token: 35 2640 7z.exe Token: SeSecurityPrivilege 2640 7z.exe Token: SeSecurityPrivilege 2640 7z.exe Token: SeRestorePrivilege 2660 7z.exe Token: 35 2660 7z.exe Token: SeSecurityPrivilege 2660 7z.exe Token: SeSecurityPrivilege 2660 7z.exe Token: SeRestorePrivilege 2596 7z.exe Token: 35 2596 7z.exe Token: SeSecurityPrivilege 2596 7z.exe Token: SeSecurityPrivilege 2596 7z.exe Token: SeRestorePrivilege 2364 7z.exe Token: 35 2364 7z.exe Token: SeSecurityPrivilege 2364 7z.exe Token: SeSecurityPrivilege 2364 7z.exe Token: SeRestorePrivilege 2480 7z.exe Token: 35 2480 7z.exe Token: SeSecurityPrivilege 2480 7z.exe Token: SeSecurityPrivilege 2480 7z.exe Token: SeRestorePrivilege 2972 7z.exe Token: 35 2972 7z.exe Token: SeSecurityPrivilege 2972 7z.exe Token: SeSecurityPrivilege 2972 7z.exe Token: SeRestorePrivilege 1032 7z.exe Token: 35 1032 7z.exe Token: SeSecurityPrivilege 1032 7z.exe Token: SeSecurityPrivilege 1032 7z.exe Token: SeRestorePrivilege 1808 7z.exe Token: 35 1808 7z.exe Token: SeSecurityPrivilege 1808 7z.exe Token: SeSecurityPrivilege 1808 7z.exe Token: SeDebugPrivilege 2680 @Kypidss.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2844 2808 e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe 28 PID 2808 wrote to memory of 2844 2808 e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe 28 PID 2808 wrote to memory of 2844 2808 e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe 28 PID 2808 wrote to memory of 2844 2808 e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe 28 PID 2844 wrote to memory of 2500 2844 cmd.exe 30 PID 2844 wrote to memory of 2500 2844 cmd.exe 30 PID 2844 wrote to memory of 2500 2844 cmd.exe 30 PID 2844 wrote to memory of 2704 2844 cmd.exe 31 PID 2844 wrote to memory of 2704 2844 cmd.exe 31 PID 2844 wrote to memory of 2704 2844 cmd.exe 31 PID 2844 wrote to memory of 2716 2844 cmd.exe 32 PID 2844 wrote to memory of 2716 2844 cmd.exe 32 PID 2844 wrote to memory of 2716 2844 cmd.exe 32 PID 2844 wrote to memory of 2640 2844 cmd.exe 33 PID 2844 wrote to memory of 2640 2844 cmd.exe 33 PID 2844 wrote to memory of 2640 2844 cmd.exe 33 PID 2844 wrote to memory of 2660 2844 cmd.exe 34 PID 2844 wrote to memory of 2660 2844 cmd.exe 34 PID 2844 wrote to memory of 2660 2844 cmd.exe 34 PID 2844 wrote to memory of 2596 2844 cmd.exe 35 PID 2844 wrote to memory of 2596 2844 cmd.exe 35 PID 2844 wrote to memory of 2596 2844 cmd.exe 35 PID 2844 wrote to memory of 2364 2844 cmd.exe 36 PID 2844 wrote to memory of 2364 2844 cmd.exe 36 PID 2844 wrote to memory of 2364 2844 cmd.exe 36 PID 2844 wrote to memory of 2480 2844 cmd.exe 37 PID 2844 wrote to memory of 2480 2844 cmd.exe 37 PID 2844 wrote to memory of 2480 2844 cmd.exe 37 PID 2844 wrote to memory of 2972 2844 cmd.exe 38 PID 2844 wrote to memory of 2972 2844 cmd.exe 38 PID 2844 wrote to memory of 2972 2844 cmd.exe 38 PID 2844 wrote to memory of 1032 2844 cmd.exe 39 PID 2844 wrote to memory of 1032 2844 cmd.exe 39 PID 2844 wrote to memory of 1032 2844 cmd.exe 39 PID 2844 wrote to memory of 1808 2844 cmd.exe 40 PID 2844 wrote to memory of 1808 2844 cmd.exe 40 PID 2844 wrote to memory of 1808 2844 cmd.exe 40 PID 2844 wrote to memory of 2592 2844 cmd.exe 41 PID 2844 wrote to memory of 2592 2844 cmd.exe 41 PID 2844 wrote to memory of 2592 2844 cmd.exe 41 PID 2844 wrote to memory of 2680 2844 cmd.exe 42 PID 2844 wrote to memory of 2680 2844 cmd.exe 42 PID 2844 wrote to memory of 2680 2844 cmd.exe 42 PID 2844 wrote to memory of 2680 2844 cmd.exe 42 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2592 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2cdbe43745e8ef737fded5c21bfd162_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\mode.commode 65,103⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_9.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_8.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_7.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_6.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\system32\attrib.exeattrib +H "@Kypidss.exe"3⤵
- Views/modifies file attributes
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\@Kypidss.exe"@Kypidss.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
92KB
MD56feb31e3fbfadaf1029223c60bc0d60c
SHA113555e90f6bd008c03403e09fcd17d6a65ab461f
SHA256b059aaa7da26904746289493bcc558f552408b0a4df2e86ff8ed0c675f4dc23e
SHA5125680e753eb00386413fa4352a9169b6a0d1eb13b6ae5fe9c167e9999d40634d9318fe2bc91c6f76df22f00e0dc174fc38207a601024bf9f3093e71924eef44cb
-
Filesize
2.0MB
MD5029d8f9ffcbaa8d159537ecb51b8b40d
SHA1bc67ac7339d5f92f5f8b82914570346a7726ad56
SHA256a517d9a37af067b1135f901ef24a4569e810aeddbedc188be70eb25ce865a5d9
SHA5125d6d169ba7c674356c1062ffcea5cf003b1ec00c7c9172f981d194a067cb72869311f107b8a18aa4c964d8d97852212fb7c76a6a9ef7c737d8f6841f17f7e7dd
-
Filesize
38KB
MD51410f52a4450065eda4ff0e4384d4d87
SHA191b3aca68b974f7f227a19d5193abc41ab1fb57f
SHA256566729a30e9eb2ec17855aa0bca0b68bb6e239067725f05b4fcbb10c1e9ea851
SHA51207eb18849cd6247b16a4eb48e55dce3a8212c318ac13ca04bb40d0daa59c33ddffbe836975c10263e991183c2f24564df1cd51980239a935ebf81f49fa34bb53
-
Filesize
38KB
MD5eb3589a039e50801ccedbdc2fe019213
SHA1db1689b29d5a18d0a39c4c2cab8969c5cd54b67e
SHA256d688fa7f2429ca3047284470660bc28b75209f3451b1b50eda6e8a75a970c0d5
SHA512d452d0b63aea51e77fba2726d76824607750299ccbe3fdb73373339ea392a30d0deae8864bb9624340c635255f194558350d223fb04c1c03992e2d9e07aca4fe
-
Filesize
38KB
MD5cd3a07e4b4503ca247db22d431c9c34c
SHA117fdfa18284b4f8d37ae78b3ae8c42f0b4626dea
SHA25656c9586c32b71bb2d92e8dd80ac79e764f05d88ccdef4f6113686e99ca928cb4
SHA5123fdfb94dee436ee7062f3ac6c1cd3699cdb845ddd820626b2e46c362ad978001ec05cc34532b6bacc3ed7c97304b6c0bb20d1ce0cfa3b9e3d293aa58ca231466
-
Filesize
39KB
MD5121bbc518d0197533acad96be6912689
SHA188ecc86c2a4e3a3e4f3cd6e76856ecfa24c9dac7
SHA25661f5e438ad11b778bfa9536deb946982febece34cfd2adbaa374b2e20a06b149
SHA5125afc6c5f2567bf50734be6f5f1416d7b538a9848c17928ada4498567a13235af7b5b3d65c5b6e6f876f9de91d96e09ce4c6ffbe10fcc6672fa77c4f9540cf228
-
Filesize
39KB
MD56c4fe4407cbe541fbad8fe96caa4cd8c
SHA166e09294d336eeebbc632f5cd11e63f078c1492b
SHA256b6be02309134d09336a28d03812a98a61cb1e43b8458c258f39a70477b69a0e6
SHA5123415ef2f80113c8424092f8404da3aa97adc5463a5acfc6475b41048c7b09b2d712a5f31689b5854ee7c7971721cd3e2576b8366cf6d62878973fe4c3af5597e
-
Filesize
39KB
MD599cf0c2d1b2b4ea537117cfbfe2f2fbb
SHA1485799f1c051b1f9fa46cbbb7a9466e8a82fc8d5
SHA256c9e503e701e324f2803ed62b8522e6170c1ddba75d025c90df1240e79837ac46
SHA512e9cfd12ad34ac9781cb1ac1f76971b92cc2ba857b49d2eea3c9de6ba18c716ca7b489ef170a053d064d5a1c672174617624b6911de5e70d5f3b7b25d1bd5d7cc
-
Filesize
39KB
MD5eadc28732020b3319b7d7c4fd6aa72bb
SHA11f41c976ae6c8d96bf21f5b0b04681bbb2e7eeed
SHA2567f60367638ee68732ab3abf752612fcea95ac78ec8087aff768aee4fe559dd5c
SHA5120b290a0b760b36c760b21e7f6436ffc75ed45d5045a8dd8ab4b67c8630993a696c8c9b813ce7a2bbb6d15212f6a640a23a43c31e30533b4215a77162af0b38f1
-
Filesize
39KB
MD57558a4fa8de4a19e9ec071f1782a7de9
SHA16c4f3db4641fb6b276c0d66796fbfa57ad52c3d2
SHA2569c78566c25906ad8bcf1acb24c9db492a025cca84dfabf461b6d7be6c2bbdf1e
SHA51202d711475e42dd8f563e82a1fbaf1dffcb70495d6a1219846415e718049105492fcc86462af0aa92ee6387290ed0e5d991f8fb9e3900c10c9b68c424579f4874
-
Filesize
1.5MB
MD5da41aef5b2e0a6779d333d3de7b02fb6
SHA10997c325ca6d090d4bf80d8dbf85b3f3687238ce
SHA256b5f6b7a15e2f5d575da70e202c88a84a2d12f0128eb29885545e8e620c853930
SHA512a1b001bc60c641cd6a3475eed33b9b663ee5e1a0184c8f92b462c5c286ceb62e19918dcad6a7d57eacbf859fd5bc9cb41b298034621695e80fc5be5dfb6f0eb1
-
Filesize
1.5MB
MD5e79e2a61063b7bc37428241f10b65547
SHA1b80195593d61983442d5b558cd802a175d21da9a
SHA2566a627f0efbdc9cc0ebc0fcad4ce97079c26f4b6fe82306f6028edc9db1bd6a13
SHA512ffe5db607d72bc779678c7adb1e3104c3a06f13b176d7b692ff9262d459b869d878f1f0f77e1e5eae67e13ebea52d9b50cd53ee9acd2f965d1fce57f1f0410ee
-
Filesize
452B
MD53d6f2c801b9db9dc925340fe9536a3d7
SHA15668f9f7531fd6e54b2be62dcd2a6386e0b8844a
SHA25671d710c4d18688543cf824b147e904de2525cd725c977680693b1f45ac4cf549
SHA51265418c25c2377993135f5909806102d641379fdd1ecaea9d6f98c4141b4f6a6f23f23e6f9c110e46c9479f71dbbe985d15a93146db533e35671669678ec1e337
-
Filesize
1.2MB
MD556a9726d8e4f6a97cf68517c7a23ebd7
SHA1cff2afde0437c07f76ace54fc57a52b1208a7c98
SHA2566857e1bc8743a6682745525ba6767fc8a3da09162ca85f95d63dd48baa077d0c
SHA51294d2bebf8c142e051aae4124586a5f316e22c722832cf2138f534171594af72db941e48ddf9c0eb627faa62232bc84a4197adc0cb3a38c02b91615df06da44b0