Malware Analysis Report

2025-03-15 04:40

Sample ID 240515-vtdr2abc6x
Target 4733a823253e50d03fac643b86bfc988_JaffaCakes118
SHA256 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba
Tags
redline bootkit discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba

Threat Level: Known bad

The file 4733a823253e50d03fac643b86bfc988_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

redline bootkit discovery evasion infostealer persistence spyware stealer trojan

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes itself

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies Wine through registry keys

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 17:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 17:16

Reported

2024-05-15 17:19

Platform

win7-20231129-en

Max time kernel

122s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 138.124.183.68:88 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.170:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.194.80.79:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 whois.iana.org udp
US 192.0.32.59:43 whois.iana.org tcp
US 8.8.8.8:53 WHOIS.LACNIC.NET udp
BR 200.3.14.149:43 WHOIS.LACNIC.NET tcp
US 8.8.8.8:53 www.geoplugin.net udp
NL 178.237.33.50:80 www.geoplugin.net tcp
US 138.124.183.68:88 tcp

Files

memory/2352-0-0x0000000001180000-0x0000000001678000-memory.dmp

memory/2352-2-0x0000000001180000-0x0000000001678000-memory.dmp

memory/2352-3-0x0000000001180000-0x0000000001678000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar7B7C.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 2c0eaf728ce5b8f92db45fa87192f3ba
SHA1 99fa7e5629024284d31c71c9e80cee4ffdf05711
SHA256 2290a7483fd7fffb619788817a76214beae6f4a590bba0de941e6a16b22e0b3e
SHA512 e576bda3d3e7a7722c6d20d504e7dc943f65e6cf43e7a161d077a8fc83adcd4d8f2ccf681f3ecae84048458a979e144e2ccdb8d3a49176dce6aca5f069c2499c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3fc56e093d4bb8321af5d262aabd9e2
SHA1 16d12cfb5f8d2ed1c6922ea31b334455c5b7148d
SHA256 ff880818049399718ca5a3b17f5987a46e3b20bb3f1b022c1eeee988079de9d3
SHA512 a4cd7fdaddb53550d51100666fa64c23f64e1e4c5ef77d79623a2264f6d136fd7e639cf396e6c78a54e10ca8e9674b69288021e330b72c3a0a4347b4585524b7

C:\Users\Admin\AppData\Local\Temp\tmp89DB.tmp

MD5 1648d984f5c7b701925df334188a7c67
SHA1 390150be1637edff83123d10efe747fa2a5e4968
SHA256 af73e1f2cced0800ad436b1d3a63c3b159ecd9e298c5e32bf5a884fb476c134d
SHA512 2f71d378127e0158168573e24aa49d8aedac54adf3af48607d09225f291c8075151f1d6d87344dff483445ebe4db2a6f73086b2b7e7614887ccece429779694e

C:\Users\Admin\AppData\Local\Temp\tmp89DC.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp89F1.tmp

MD5 69b4e9248982ac94fa6ee1ea6528305f
SHA1 6fb0e765699dd0597b7a7c35af4b85eead942e5b
SHA256 53c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883
SHA512 5cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d

memory/2352-210-0x0000000001180000-0x0000000001678000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 17:16

Reported

2024-05-15 17:19

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.152:443 www.bing.com tcp
US 138.124.183.68:88 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 152.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
BE 2.17.196.152:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.72.200.208:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 whois.iana.org udp
US 192.0.32.59:43 whois.iana.org tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 208.200.72.54.in-addr.arpa udp
US 8.8.8.8:53 WHOIS.LACNIC.NET udp
BR 200.3.14.149:43 WHOIS.LACNIC.NET tcp
US 8.8.8.8:53 59.32.0.192.in-addr.arpa udp
US 8.8.8.8:53 www.geoplugin.net udp
NL 178.237.33.50:80 www.geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 149.14.3.200.in-addr.arpa udp
US 138.124.183.68:88 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4268-0-0x0000000001000000-0x00000000014F8000-memory.dmp

memory/4268-2-0x0000000001000000-0x00000000014F8000-memory.dmp

memory/4268-3-0x0000000001000000-0x00000000014F8000-memory.dmp

memory/4268-4-0x0000000005890000-0x0000000005EA8000-memory.dmp

memory/4268-5-0x0000000005230000-0x0000000005242000-memory.dmp

memory/4268-6-0x00000000052B0000-0x00000000052EC000-memory.dmp

memory/4268-7-0x00000000052F0000-0x000000000533C000-memory.dmp

memory/4268-8-0x0000000005530000-0x000000000563A000-memory.dmp

memory/4268-11-0x00000000060B0000-0x0000000006142000-memory.dmp

memory/4268-12-0x0000000006700000-0x0000000006CA4000-memory.dmp

memory/4268-13-0x0000000001000000-0x00000000014F8000-memory.dmp

memory/4268-14-0x0000000006F80000-0x0000000007142000-memory.dmp

memory/4268-15-0x0000000007680000-0x0000000007BAC000-memory.dmp

memory/4268-16-0x0000000006E60000-0x0000000006EC6000-memory.dmp

memory/4268-17-0x0000000008660000-0x00000000086B0000-memory.dmp

memory/4268-23-0x0000000008750000-0x00000000087EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C44.tmp

MD5 e55d7f58df0b83cbb7536bfbc792d1b1
SHA1 a3f053ad4903a8a66431521796cc13bd5e76a189
SHA256 6f21fa2af712c97ea3371e87dfc7c09220142df82bdf3520593426c93121c041
SHA512 5f836348154acdcdde90f98ee89a54ece2c757eb86b38cc1174013a5109bd8ce3f96147c8220ebfb4ac14b733f7cf39f12e4feefed8e66dc4b2fb99cdf93161e

C:\Users\Admin\AppData\Local\Temp\tmp9C54.tmp

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmp9C5A.tmp

MD5 6d7ef092add3330a33162536d6a34a07
SHA1 b2646ee43195149c40daaadfada376f58169534e
SHA256 84d90c18fdb84664ac660760bb9a201f672407ad5bc5da01655ac0209f7c67a7
SHA512 579cf4851103bb8a3db2f24050c6b79229a968f0d5fb1ea92ccfb55e045b2a8ca82532200557f57052e39357b40a17ebac437007116d45de0f97d7189a3f251f

C:\Users\Admin\AppData\Local\Temp\tmp9CC6.tmp

MD5 554187ec42a63490fbd24746e531a544
SHA1 a92399ed19fde8131a3843924c44027606e4ab2e
SHA256 1841c87dd39fb775f2b35f5a5a5eae82694e3c6c616aa0936990edcc0f9cafc5
SHA512 89eef8cb8d020a2afd58cedbab9530284cf7f14c7503e913dbac2b6c9c1f6ea8ceb4c148ecd07607ba56dd86c7f9d0de8eb3d5524d256065662fe83b4eca74dc

C:\Users\Admin\AppData\Local\Temp\tmp9CC7.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp9CCD.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/4268-281-0x0000000001000000-0x00000000014F8000-memory.dmp