Analysis
-
max time kernel
135s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
10c88faf59369b1de89571283669aaae_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
10c88faf59369b1de89571283669aaae_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
10c88faf59369b1de89571283669aaae_JaffaCakes118.exe
-
Size
1024KB
-
MD5
10c88faf59369b1de89571283669aaae
-
SHA1
a0dfa4ae8397fd67fe96f1bcbce62b0f79d57e71
-
SHA256
7ddb2b796907b6d56dbaffd41eec9c48dafc9bb24b75d123ed5af408f8db8062
-
SHA512
f98e146372f6db1a6914f9f92c2b37eb6fd907b8173f2d8ea23d65e0bc039db7da39c5cb023fff6291666e7e102bb22c503b33ea0e90564f807bab4fd55c0e7b
-
SSDEEP
24576:gk70Trckyima96k6361eU67QinCzrtoXwwh:gkQTAsIk6q15aC9oXb
Malware Config
Extracted
redline
122
156.238.184.172:80
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/4952-1-0x0000000004D60000-0x0000000004E24000-memory.dmp family_zgrat_v1 behavioral2/memory/4952-4-0x00000000053D0000-0x0000000005492000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4888-5-0x0000000000400000-0x0000000000440000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4952 set thread context of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 -
Kills process with taskkill 1 IoCs
pid Process 2652 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4888 RegAsm.exe Token: SeDebugPrivilege 2652 taskkill.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4952 wrote to memory of 4888 4952 10c88faf59369b1de89571283669aaae_JaffaCakes118.exe 84 PID 4888 wrote to memory of 3932 4888 RegAsm.exe 93 PID 4888 wrote to memory of 3932 4888 RegAsm.exe 93 PID 4888 wrote to memory of 3932 4888 RegAsm.exe 93 PID 3932 wrote to memory of 2652 3932 cmd.exe 95 PID 3932 wrote to memory of 2652 3932 cmd.exe 95 PID 3932 wrote to memory of 2652 3932 cmd.exe 95 PID 3932 wrote to memory of 1140 3932 cmd.exe 98 PID 3932 wrote to memory of 1140 3932 cmd.exe 98 PID 3932 wrote to memory of 1140 3932 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c88faf59369b1de89571283669aaae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10c88faf59369b1de89571283669aaae_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 4888 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 48884⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:1140
-
-
-