Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
10c88faf59369b1de89571283669aaae_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
10c88faf59369b1de89571283669aaae_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
10c88faf59369b1de89571283669aaae_JaffaCakes118.exe
-
Size
1024KB
-
MD5
10c88faf59369b1de89571283669aaae
-
SHA1
a0dfa4ae8397fd67fe96f1bcbce62b0f79d57e71
-
SHA256
7ddb2b796907b6d56dbaffd41eec9c48dafc9bb24b75d123ed5af408f8db8062
-
SHA512
f98e146372f6db1a6914f9f92c2b37eb6fd907b8173f2d8ea23d65e0bc039db7da39c5cb023fff6291666e7e102bb22c503b33ea0e90564f807bab4fd55c0e7b
-
SSDEEP
24576:gk70Trckyima96k6361eU67QinCzrtoXwwh:gkQTAsIk6q15aC9oXb
Malware Config
Extracted
redline
122
156.238.184.172:80
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral1/memory/2032-1-0x0000000004A60000-0x0000000004B24000-memory.dmp family_zgrat_v1 behavioral1/memory/2032-4-0x00000000048E0000-0x00000000049A2000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1164-11-0x0000000000400000-0x0000000000440000-memory.dmp family_redline behavioral1/memory/1164-18-0x0000000000400000-0x0000000000440000-memory.dmp family_redline behavioral1/memory/1164-16-0x0000000000400000-0x0000000000440000-memory.dmp family_redline behavioral1/memory/1164-14-0x0000000000400000-0x0000000000440000-memory.dmp family_redline behavioral1/memory/1164-9-0x0000000000400000-0x0000000000440000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2032 set thread context of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 -
Kills process with taskkill 1 IoCs
pid Process 2576 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1164 RegAsm.exe Token: SeDebugPrivilege 2576 taskkill.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 2032 wrote to memory of 1164 2032 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 28 PID 1164 wrote to memory of 2596 1164 RegAsm.exe 29 PID 1164 wrote to memory of 2596 1164 RegAsm.exe 29 PID 1164 wrote to memory of 2596 1164 RegAsm.exe 29 PID 1164 wrote to memory of 2596 1164 RegAsm.exe 29 PID 2596 wrote to memory of 2576 2596 cmd.exe 31 PID 2596 wrote to memory of 2576 2596 cmd.exe 31 PID 2596 wrote to memory of 2576 2596 cmd.exe 31 PID 2596 wrote to memory of 2576 2596 cmd.exe 31 PID 2596 wrote to memory of 2556 2596 cmd.exe 33 PID 2596 wrote to memory of 2556 2596 cmd.exe 33 PID 2596 wrote to memory of 2556 2596 cmd.exe 33 PID 2596 wrote to memory of 2556 2596 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c88faf59369b1de89571283669aaae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10c88faf59369b1de89571283669aaae_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1164 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 11644⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:2556
-
-
-