Analysis
-
max time kernel
132s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
fcd6f9dc4c2dedb09f02e98ae484275c
-
SHA1
3caa9da0bdd2d95f9e4f2293e16fb3f0609c0aa1
-
SHA256
2b8dd6e401df9a624a3255fce908ac384eb3013d69651c0d133521e2409cbdf9
-
SHA512
e790c7d0af673e4c6c414b27af5fdd894708f31c03943ff2f5d2f28c2c0f261e62c86fd177228c524eae28d450c8934f3b0ca2f117aad2b87c7c21e935b2ece5
-
SSDEEP
49152:25+hF6ujRlg2cvPauujSAzH9GsnfBgh2Px5ej75/xiz8lVHTIioOFZQ+R:25aF6ujRmFDAz9fBx5ev5/xiqZ7R
Malware Config
Extracted
redline
@DitrC
45.132.104.217:12780
-
auth_value
bb67ccc49d44343128ca161d7fe51029
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\main\extracted\DitrC.exe family_redline behavioral1/memory/2544-99-0x0000000000D20000-0x0000000000D42000-memory.dmp family_redline behavioral1/memory/2544-101-0x0000000004AD0000-0x0000000004B10000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\main\extracted\DitrC.exe family_sectoprat behavioral1/memory/2544-99-0x0000000000D20000-0x0000000000D42000-memory.dmp family_sectoprat behavioral1/memory/2544-101-0x0000000004AD0000-0x0000000004B10000-memory.dmp family_sectoprat -
Executes dropped EXE 12 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeDitrC.exepid process 2712 7z.exe 2560 7z.exe 3044 7z.exe 2476 7z.exe 2456 7z.exe 2528 7z.exe 2248 7z.exe 2836 7z.exe 2956 7z.exe 1336 7z.exe 1152 7z.exe 2544 DitrC.exe -
Loads dropped DLL 22 IoCs
Processes:
cmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 3020 cmd.exe 2712 7z.exe 3020 cmd.exe 2560 7z.exe 3020 cmd.exe 3044 7z.exe 3020 cmd.exe 2476 7z.exe 3020 cmd.exe 2456 7z.exe 3020 cmd.exe 2528 7z.exe 3020 cmd.exe 2248 7z.exe 3020 cmd.exe 2836 7z.exe 3020 cmd.exe 2956 7z.exe 3020 cmd.exe 1336 7z.exe 3020 cmd.exe 1152 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
DitrC.exepid process 2544 DitrC.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedescription pid process Token: SeRestorePrivilege 2712 7z.exe Token: 35 2712 7z.exe Token: SeSecurityPrivilege 2712 7z.exe Token: SeSecurityPrivilege 2712 7z.exe Token: SeRestorePrivilege 2560 7z.exe Token: 35 2560 7z.exe Token: SeSecurityPrivilege 2560 7z.exe Token: SeSecurityPrivilege 2560 7z.exe Token: SeRestorePrivilege 3044 7z.exe Token: 35 3044 7z.exe Token: SeSecurityPrivilege 3044 7z.exe Token: SeSecurityPrivilege 3044 7z.exe Token: SeRestorePrivilege 2476 7z.exe Token: 35 2476 7z.exe Token: SeSecurityPrivilege 2476 7z.exe Token: SeSecurityPrivilege 2476 7z.exe Token: SeRestorePrivilege 2456 7z.exe Token: 35 2456 7z.exe Token: SeSecurityPrivilege 2456 7z.exe Token: SeSecurityPrivilege 2456 7z.exe Token: SeRestorePrivilege 2528 7z.exe Token: 35 2528 7z.exe Token: SeSecurityPrivilege 2528 7z.exe Token: SeSecurityPrivilege 2528 7z.exe Token: SeRestorePrivilege 2248 7z.exe Token: 35 2248 7z.exe Token: SeSecurityPrivilege 2248 7z.exe Token: SeSecurityPrivilege 2248 7z.exe Token: SeRestorePrivilege 2836 7z.exe Token: 35 2836 7z.exe Token: SeSecurityPrivilege 2836 7z.exe Token: SeSecurityPrivilege 2836 7z.exe Token: SeRestorePrivilege 2956 7z.exe Token: 35 2956 7z.exe Token: SeSecurityPrivilege 2956 7z.exe Token: SeSecurityPrivilege 2956 7z.exe Token: SeRestorePrivilege 1336 7z.exe Token: 35 1336 7z.exe Token: SeSecurityPrivilege 1336 7z.exe Token: SeSecurityPrivilege 1336 7z.exe Token: SeRestorePrivilege 1152 7z.exe Token: 35 1152 7z.exe Token: SeSecurityPrivilege 1152 7z.exe Token: SeSecurityPrivilege 1152 7z.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.execmd.exedescription pid process target process PID 2928 wrote to memory of 3020 2928 fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe cmd.exe PID 2928 wrote to memory of 3020 2928 fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe cmd.exe PID 2928 wrote to memory of 3020 2928 fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe cmd.exe PID 2928 wrote to memory of 3020 2928 fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe cmd.exe PID 3020 wrote to memory of 2664 3020 cmd.exe mode.com PID 3020 wrote to memory of 2664 3020 cmd.exe mode.com PID 3020 wrote to memory of 2664 3020 cmd.exe mode.com PID 3020 wrote to memory of 2712 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2712 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2712 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2560 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2560 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2560 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 3044 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 3044 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 3044 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2476 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2476 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2476 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2456 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2456 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2456 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2528 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2528 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2528 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2248 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2248 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2248 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2836 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2836 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2836 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2956 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2956 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2956 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 1336 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 1336 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 1336 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 1152 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 1152 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 1152 3020 cmd.exe 7z.exe PID 3020 wrote to memory of 2752 3020 cmd.exe attrib.exe PID 3020 wrote to memory of 2752 3020 cmd.exe attrib.exe PID 3020 wrote to memory of 2752 3020 cmd.exe attrib.exe PID 3020 wrote to memory of 2544 3020 cmd.exe DitrC.exe PID 3020 wrote to memory of 2544 3020 cmd.exe DitrC.exe PID 3020 wrote to memory of 2544 3020 cmd.exe DitrC.exe PID 3020 wrote to memory of 2544 3020 cmd.exe DitrC.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fcd6f9dc4c2dedb09f02e98ae484275c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 65,103⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p___________31817pwd7636pwd29059pwd10164pwd8918pwd1019___________ -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_10.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_9.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_8.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +H "DitrC.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\main\DitrC.exe"DitrC.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DATFilesize
2.1MB
MD5b32792b467f219eeeb3230e95d8d130d
SHA10f2bbe569d215039d94d5e3df3144139567d9ca4
SHA256671f5f8b912dff36505429762f285c24e8c379bc1680afe44c43301f912c787d
SHA512919b85fd5c102426da889e4d08165cbfb3f9c538fa57f92fad14eaf9f14c87da098a1fa01d3f88a91c496f58a28c6d9c20762aeba1c76fe5cdcc67419a2cd0e0
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\DitrC.exeFilesize
113KB
MD5ee300afc745dc8656a8cf2c00687b497
SHA10a24d7ceae8fbddbf951a78a0c03d0e612784183
SHA256e8e5f4aaed62a08838120aacded272497525333d09214b82aa7d66d04fbbea2a
SHA5127c17799a642076ec4991b16c2c2f879450f01bacb5d5e5a17b69657ff1db69ceecd8f6a3a6080dac688b32e1a3ab09946de42ba5a63041964d6d0e621b2c29a5
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zipFilesize
46KB
MD591cced3d30cffbdc9af4d1f541f24674
SHA1aa2045a128c444a4d48737befb4af8a6e5df7a08
SHA25656e81b150a4a01bd787dc89388bcd3966f9cc8951440f141c5a67a229687938f
SHA5127ab500dc28b81d5afc222032384da2cb0637b307d04c74ce6b1325a5e248a6c13c844b6f386d5b02a112d20c4821dc088fb4fd2e8b638f1463632ec97d5659c0
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zipFilesize
1.6MB
MD5f45da43cbb6a679e75d2e4d7dfc51ef7
SHA1c17508f41af73c2ea5c467356e7f0359d02de1b6
SHA256d9858bf2882ac4dbb1abda9013817102d2aa1b8378c0ebfc39bf17296b7e856a
SHA51254f347550f8cce60c6e442150a46f5cba498c83dac5aab196f41cd290fff53d6cea7c52ea491e1aa965f549bfb74065478bab6378d35bf0d3b78d6cdccc35bb0
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zipFilesize
46KB
MD538fb2e7d522a6ca8a79f9759ce6ce49c
SHA1e3dbacb098d8e658c1b215a472085482235c034f
SHA25639df2ca12272ffd9a0be10ab7b57e9191e9cea90632ebc80f69f54fab86e2af9
SHA512c26cae9c23f27d693650a14ed9f1ae524444963efc76a37c331d61a3531b0035b56ea0cb7857a875073fbac8ca41345a4f7bc5e7ed82d081ff4dc900dccd171e
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zipFilesize
46KB
MD5644b41b94026451ef343c3fe8b0008a9
SHA1a3a1d7ec11e2bfa3ade56711ac4f35b9d95db5ad
SHA256512c1e921a5ec3bb31977d5409b3f735ff8f0bc9fd76f04cc03655fdaad49cb1
SHA5123fe80081206998e1fdcb1e6378a5708f5ebfc33d159aa1fbe0948e152e7474ef4a6d86ecffb252a6c4d7fe1656ba83622316e6fb78da36f1183353de169b102c
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zipFilesize
46KB
MD5a644c64b435a457e9bbc83f246f6afec
SHA1fc77dfc574ffb234a380b911f05bc0e3b49e3208
SHA256e6fc295947c2f2ba5258683db0b6c85ca029dde1e05f3dc09536733be96b61f3
SHA51275534d5ebc686e8e844d249a1c3f2c30c8356838416d66778901dd4280b0a2aeb1683bb2e2351522b3e14f379d1a2bd11d1e41e8d26c7f38f1e9cdbdf54b8da9
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zipFilesize
46KB
MD573efed54d9877cf1484844cf41e58aa7
SHA1b9de31c41c2a4c6d2a0ac228c1e3f02777d42ffc
SHA256426d59adfc32bb848cb873f281a8e0e112d8a5c492084d6707c1ffbd900fb1b9
SHA512cef3602a2ce845e465c3723af6cee0abeca6c4bcf09097cbd8e19934be73efceae0ac76203b9d9224e568f52f45be5b48a7cb0cfda106aa5aae7987db981bc6d
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zipFilesize
47KB
MD591af5e57ae4ffa2256e2d269bf464b06
SHA1123ffc91ac4f08b3e84a245e9b11df60b0ea7ad6
SHA256559adc6cfc2c95fc0b56c6c26d5559ed4e2079d95221daadb5fe13f451056179
SHA5126a8a920d2a80c38c100961db1863749e90def68817c3260538f81d6227501bc7eeba4d5ed8ec7f06b420950566b8a1f4ae5e2bd38208d214f168d53cb03ab751
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zipFilesize
47KB
MD59553ba50a5baefece39e629853761b11
SHA12cd5ae2a663b951d89c6511acc497f22fa249518
SHA2562b0ddadfee776a43f2e6778bdf22d651260233970ccaf7eb4760def5520b6bef
SHA512309b85c30cb896210c2ae74eb1acbfe5a46088f4e6a9d97b9db3f89725cc4394a8b64b636b2a1a54031650a95f169b724b33dd7face7b44e6aa01c489a2cf2db
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zipFilesize
47KB
MD59566af2a41b3b83c123cae58b8c4ebb8
SHA18dffdc1231d71aa84c6875a26b65893022f98405
SHA256dc679b2bfbc25279822364bbd47209f6fdd695227ac6f349e56435bb0f36c98e
SHA512df09915d44b46fbcbad9c7a9a3f4fbad866319918097e74a6e3f9d621c6d1935ac01a06c7669c585761c1eddbe614f3cb565aa79c1313754b18a10838d957b6e
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zipFilesize
47KB
MD55dce040d04a58a5d7f3387fee535eb0a
SHA19b8542bc440faef0766f8be211fa8b62cc68cf0e
SHA25607d6eb3e24b17ed294b6dc0785156f8f67e481538c40ec7501bbc16fc8d5cb71
SHA51269f9b019e51ae5e4e0302f6598001f51d126ef3f30ebd43b2d67ff86bb8d2ee6785b853b173953ebed45fa22f0e7eb50a64215d795c8294b5a232895a3c68f2e
-
C:\Users\Admin\AppData\Local\Temp\main\file.binFilesize
1.6MB
MD51c5604c494f35d5d9c7c7d31d95cd53d
SHA11e7d29ee3a689d53ae68f1d0a2540f2de7507849
SHA2562e89e422629a1b331ed92eebaa3497171372f9de90ba5f400b68886cd2c60acd
SHA512775714936e14e89bf23a4069c4ffe6d053540131fb2f92db4b9698930f52bd1c28aabf962fd6658394eb8db55b4a722bda84fa6d690b7de0d23fa3cfdc128348
-
C:\Users\Admin\AppData\Local\Temp\main\main.batFilesize
491B
MD57df22fb181b869c60d69051a25a7956b
SHA1d16060ef1c77001c74f40b87ccfcfe5b3181f7ad
SHA256ec403424255b6ccb1755de3b394e533247655377379765f123d41b4caace2c18
SHA512f9c2823b9e9db80c25b246a6f477bb179fa3b25f7a43d190866fbfc953b77fbab9c33b91d6b7a3fe281d7d023edcba73f45c95b1a9fc7bc5f92da36fcdefc8b8
-
memory/2544-99-0x0000000000D20000-0x0000000000D42000-memory.dmpFilesize
136KB
-
memory/2544-100-0x0000000074660000-0x0000000074D4E000-memory.dmpFilesize
6.9MB
-
memory/2544-101-0x0000000004AD0000-0x0000000004B10000-memory.dmpFilesize
256KB
-
memory/2544-102-0x0000000074660000-0x0000000074D4E000-memory.dmpFilesize
6.9MB
-
memory/2544-103-0x0000000004AD0000-0x0000000004B10000-memory.dmpFilesize
256KB