Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 00:00

General

  • Target

    0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    0cecd325ae1650c55eef63053bcd8f91

  • SHA1

    a60668f3d2a3791ba0337a08265817b8ff9d18e6

  • SHA256

    2f78d296062361388f9c8b858d9c077cb0662c6d4fe38cb63d5e0dbcc804fdc0

  • SHA512

    7b54b3bd43ee3b4026476ca1c826fcdc01454c58f4c9c8e1f187b6f84ebcd918902e43a9be132f65aa60356e8185654e49061ce034a41eb69758e4834a2cf4e6

  • SSDEEP

    49152:cfby8aoRw1kkVMOj4Dd0lVaMK0CZNI4jfvkX71K:wbyKkVMfDClVpKHY7Y

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /F /PID 4972 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 4972
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:632
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp6238.tmp

      Filesize

      78KB

      MD5

      3db95abed18520c9e0083febcdc88deb

      SHA1

      8ab4eef9e3ab553b710d724a5c16a917173813a2

      SHA256

      8ee100f9470da8f40bc623b9aa32a0084bc8641b1c06fa20366a9348c5906c12

      SHA512

      b769bfc0b1ffe34dd6b80c0ad7a0eb57e574130731f9bf5da028bec18ac11f3b795b994f9783f25387517a3ee17ea36d36b9a4ddd787bee32054062cc6a5cfaa

    • C:\Users\Admin\AppData\Local\Temp\tmp6249.tmp

      Filesize

      40KB

      MD5

      a182561a527f929489bf4b8f74f65cd7

      SHA1

      8cd6866594759711ea1836e86a5b7ca64ee8911f

      SHA256

      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

      SHA512

      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

    • C:\Users\Admin\AppData\Local\Temp\tmp624F.tmp

      Filesize

      114KB

      MD5

      556bc0c1a1d9f1f336dc8592efdbb7cd

      SHA1

      857a0ff938c0434e645d105cb91d5d6bc2b8e4dc

      SHA256

      a6a5675a55568b85e4c996b069e366e6e7c56ecf17a1d8ec8ebe6104b00a6a23

      SHA512

      da63e5d7150a7e93f4d501eee8c32cfda21bce7651bfcb9594fbd065d032f536e1105b37ada704de48bea0efbc3e80a81f67c2f630c894c635086eecafab54b0

    • C:\Users\Admin\AppData\Local\Temp\tmp62BA.tmp

      Filesize

      8KB

      MD5

      6f4a8b8071fc2cdf4d95e8195c191f06

      SHA1

      e238b09988b89586644401bf5fe03bd5deb0ea1c

      SHA256

      2eab13aeb3580558e8ad72aaad4567e523c5327db36da6e4172ac9874b6229d4

      SHA512

      2a128a9776ef02fe12f1699515578b61e7b764547ae7482e75feea905955b44f20c757b88122047b2e34044d69437a1061e7a0c9fc14c71048979036c53ab268

    • C:\Users\Admin\AppData\Local\Temp\tmp62BB.tmp

      Filesize

      48KB

      MD5

      349e6eb110e34a08924d92f6b334801d

      SHA1

      bdfb289daff51890cc71697b6322aa4b35ec9169

      SHA256

      c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

      SHA512

      2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

    • C:\Users\Admin\AppData\Local\Temp\tmp62D1.tmp

      Filesize

      20KB

      MD5

      49693267e0adbcd119f9f5e02adf3a80

      SHA1

      3ba3d7f89b8ad195ca82c92737e960e1f2b349df

      SHA256

      d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

      SHA512

      b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

    • C:\Users\Admin\AppData\Local\Temp\tmp62E6.tmp

      Filesize

      116KB

      MD5

      f70aa3fa04f0536280f872ad17973c3d

      SHA1

      50a7b889329a92de1b272d0ecf5fce87395d3123

      SHA256

      8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

      SHA512

      30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

    • memory/4972-6-0x0000000005890000-0x00000000058CC000-memory.dmp

      Filesize

      240KB

    • memory/4972-20-0x00000000083E0000-0x000000000847C000-memory.dmp

      Filesize

      624KB

    • memory/4972-10-0x0000000006CF0000-0x0000000007294000-memory.dmp

      Filesize

      5.6MB

    • memory/4972-11-0x0000000007670000-0x0000000007832000-memory.dmp

      Filesize

      1.8MB

    • memory/4972-12-0x0000000007D70000-0x000000000829C000-memory.dmp

      Filesize

      5.2MB

    • memory/4972-13-0x0000000007590000-0x00000000075F6000-memory.dmp

      Filesize

      408KB

    • memory/4972-14-0x00000000082F0000-0x0000000008340000-memory.dmp

      Filesize

      320KB

    • memory/4972-9-0x00000000066A0000-0x0000000006732000-memory.dmp

      Filesize

      584KB

    • memory/4972-8-0x0000000005B20000-0x0000000005C2A000-memory.dmp

      Filesize

      1.0MB

    • memory/4972-7-0x00000000058D0000-0x000000000591C000-memory.dmp

      Filesize

      304KB

    • memory/4972-0-0x0000000000930000-0x0000000000E12000-memory.dmp

      Filesize

      4.9MB

    • memory/4972-5-0x0000000005830000-0x0000000005842000-memory.dmp

      Filesize

      72KB

    • memory/4972-4-0x0000000005DE0000-0x00000000063F8000-memory.dmp

      Filesize

      6.1MB

    • memory/4972-3-0x0000000000930000-0x0000000000E12000-memory.dmp

      Filesize

      4.9MB

    • memory/4972-2-0x0000000000930000-0x0000000000E12000-memory.dmp

      Filesize

      4.9MB

    • memory/4972-276-0x0000000000930000-0x0000000000E12000-memory.dmp

      Filesize

      4.9MB