Overview

overview

10

Static

static

3

0cecd325ae...18.exe

windows7-x64

10

0cecd325ae...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/05/2024, 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    0cecd325ae1650c55eef63053bcd8f91

  • SHA1

    a60668f3d2a3791ba0337a08265817b8ff9d18e6

  • SHA256

    2f78d296062361388f9c8b858d9c077cb0662c6d4fe38cb63d5e0dbcc804fdc0

  • SHA512

    7b54b3bd43ee3b4026476ca1c826fcdc01454c58f4c9c8e1f187b6f84ebcd918902e43a9be132f65aa60356e8185654e49061ce034a41eb69758e4834a2cf4e6

  • SSDEEP

    49152:cfby8aoRw1kkVMOj4Dd0lVaMK0CZNI4jfvkX71K:wbyKkVMfDClVpKHY7Y

Score
10/10
redlinebootkitdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /F /PID 2476 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 2476
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:1948

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar2CF1.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp38B9.tmp
      Filesize

      130KB

      MD5

      8cb5b3b31fbebc95644a5e99308b20a0

      SHA1

      58dd5f3ba651391f5ec61f2fa5d776853a4275c9

      SHA256

      c4a211c6a6bfc46088a2b0c6d933be88eb86c18d1eac93ac7b2c5b5e8beb8ee4

      SHA512

      508b637f8e6cad7bb5d0d514ac45e3ab9d5865f5df734ee96980b393a991b35cfa0d289720d719a28fd3ccbbb067bfa20b0b81c8ef709b402441b81aa52bd3d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp38BA.tmp
      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp38CF.tmp
      Filesize

      92KB

      MD5

      bbe71b58e84c50336ee2d3bad3609c39

      SHA1

      bdd3227b48977e583127425cbc2f86ff4077ba10

      SHA256

      b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c

      SHA512

      07fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a

      Download Submit

    • memory/2476-0-0x0000000000D60000-0x0000000001242000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2476-2-0x0000000000D60000-0x0000000001242000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2476-3-0x0000000000D60000-0x0000000001242000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2476-156-0x0000000000D60000-0x0000000001242000-memory.dmp

      Filesize

      4.9MB

      Download