Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02/05/2024, 00:00
General
-
Target
0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
0cecd325ae1650c55eef63053bcd8f91
-
SHA1
a60668f3d2a3791ba0337a08265817b8ff9d18e6
-
SHA256
2f78d296062361388f9c8b858d9c077cb0662c6d4fe38cb63d5e0dbcc804fdc0
-
SHA512
7b54b3bd43ee3b4026476ca1c826fcdc01454c58f4c9c8e1f187b6f84ebcd918902e43a9be132f65aa60356e8185654e49061ce034a41eb69758e4834a2cf4e6
-
SSDEEP
49152:cfby8aoRw1kkVMOj4Dd0lVaMK0CZNI4jfvkX71K:wbyKkVMfDClVpKHY7Y
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 4972 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 49723⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD53db95abed18520c9e0083febcdc88deb
SHA18ab4eef9e3ab553b710d724a5c16a917173813a2
SHA2568ee100f9470da8f40bc623b9aa32a0084bc8641b1c06fa20366a9348c5906c12
SHA512b769bfc0b1ffe34dd6b80c0ad7a0eb57e574130731f9bf5da028bec18ac11f3b795b994f9783f25387517a3ee17ea36d36b9a4ddd787bee32054062cc6a5cfaa
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD5556bc0c1a1d9f1f336dc8592efdbb7cd
SHA1857a0ff938c0434e645d105cb91d5d6bc2b8e4dc
SHA256a6a5675a55568b85e4c996b069e366e6e7c56ecf17a1d8ec8ebe6104b00a6a23
SHA512da63e5d7150a7e93f4d501eee8c32cfda21bce7651bfcb9594fbd065d032f536e1105b37ada704de48bea0efbc3e80a81f67c2f630c894c635086eecafab54b0
-
Filesize
8KB
MD56f4a8b8071fc2cdf4d95e8195c191f06
SHA1e238b09988b89586644401bf5fe03bd5deb0ea1c
SHA2562eab13aeb3580558e8ad72aaad4567e523c5327db36da6e4172ac9874b6229d4
SHA5122a128a9776ef02fe12f1699515578b61e7b764547ae7482e75feea905955b44f20c757b88122047b2e34044d69437a1061e7a0c9fc14c71048979036c53ab268
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
240KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
4.9MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB