Malware Analysis Report

2025-01-22 09:11

Sample ID 240521-k7h9kafh46
Target 62c4757cba47a10510ec481b119ccc84_JaffaCakes118
SHA256 e10c278cf1ecc14858bcdbdd8de5370fd45bbdd3ece54b828f1960a6d946577a
Tags
redline discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e10c278cf1ecc14858bcdbdd8de5370fd45bbdd3ece54b828f1960a6d946577a

Threat Level: Known bad

The file 62c4757cba47a10510ec481b119ccc84_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

redline discovery infostealer spyware stealer

RedLine payload

RedLine

Reads user/profile data of web browsers

Deletes itself

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 09:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 09:14

Reported

2024-05-21 09:16

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2608 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1308 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1308 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1308 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
RU 95.181.155.204:35253 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 34.251.156.16:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 whois.iana.org udp
US 192.0.47.59:43 whois.iana.org tcp
US 8.8.8.8:53 WHOIS.LACNIC.NET udp
BR 200.3.14.149:43 WHOIS.LACNIC.NET tcp
US 8.8.8.8:53 www.geoplugin.net udp
NL 178.237.33.50:80 www.geoplugin.net tcp
RU 95.181.155.204:35253 tcp

Files

memory/2040-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/2040-1-0x0000000000370000-0x00000000003FC000-memory.dmp

memory/2040-2-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/2040-3-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/2040-4-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/2040-5-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/2040-6-0x0000000000610000-0x000000000063A000-memory.dmp

memory/2040-7-0x0000000000680000-0x0000000000694000-memory.dmp

memory/2608-8-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2608-20-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2608-18-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2608-16-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2608-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2608-13-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2608-12-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2608-10-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2608-22-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/2608-21-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/2040-23-0x00000000740B0000-0x000000007479E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar9EA5.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c0f16fcacaeb2d1a448eb393680c33db
SHA1 90b04cb74848d68b5c14b5b2fa536c3799de5be8
SHA256 844750bc7cd31440394bdd141bd6d929f957f3fadd2658d0cfccc54f2d9a1bc8
SHA512 d5a6bf9ee611e4edfbc3f434bc7b3834aa559b26b43d5b51a0588f0a15149a014a93246f5e5d818ec9dc054f435b55d5f586f832736f6cd02cf19cccf90c496b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ebfaa2f3cc51f38b4125fcc09c646fc
SHA1 64b3c17e143c507e6fff94b85a8c923e18e055e1
SHA256 23107566e21803e980d45815e9fe32f700c397a70b49cbcd772db5c44bb5bb5a
SHA512 9dbd7876981ceb5f0b4f65be827a6cec1b62661195319493fa59fea678366a2fe1c3ab8ac2444d3a58d6a3b7cfb6de7b0e33bf6f7717b34571e4bdc0636a2716

C:\Users\Admin\AppData\Local\Temp\tmpABAD.tmp

MD5 05960247ca4149f90694184d0368c3f1
SHA1 a01d8fc30db735b8d31ce2b4c497a3d1a8d1fea1
SHA256 996dbb93ee5be192bca1e701431227c8b02071d00819267eb567ee2b86f8786e
SHA512 b0f854937a25631bedf283b4f24d241545b5d52021e24f6dc4bb391726d9e8b02cbe1b4af8a51d8cfd792286bdf10801b61b33c699880e3ce86404384b63d77d

C:\Users\Admin\AppData\Local\Temp\tmpABAE.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpABC3.tmp

MD5 69b4e9248982ac94fa6ee1ea6528305f
SHA1 6fb0e765699dd0597b7a7c35af4b85eead942e5b
SHA256 53c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883
SHA512 5cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d

memory/2608-224-0x00000000740B0000-0x000000007479E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 09:14

Reported

2024-05-21 09:17

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 2008 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe
PID 1156 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1372 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1372 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 225.83.221.88.in-addr.arpa udp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 95.181.155.204:35253 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 34.251.156.16:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 whois.iana.org udp
US 192.0.47.59:43 whois.iana.org tcp
US 8.8.8.8:53 16.156.251.34.in-addr.arpa udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 WHOIS.LACNIC.NET udp
BR 200.3.14.151:43 WHOIS.LACNIC.NET tcp
US 8.8.8.8:53 59.47.0.192.in-addr.arpa udp
US 8.8.8.8:53 www.geoplugin.net udp
NL 178.237.33.50:80 www.geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 151.14.3.200.in-addr.arpa udp
RU 95.181.155.204:35253 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 218.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2008-0-0x000000007487E000-0x000000007487F000-memory.dmp

memory/2008-1-0x00000000001E0000-0x000000000026C000-memory.dmp

memory/2008-2-0x0000000005330000-0x00000000058D4000-memory.dmp

memory/2008-3-0x0000000004CC0000-0x0000000004D52000-memory.dmp

memory/2008-4-0x0000000074870000-0x0000000075020000-memory.dmp

memory/2008-6-0x0000000004C70000-0x0000000004C7A000-memory.dmp

memory/2008-5-0x0000000074870000-0x0000000075020000-memory.dmp

memory/2008-7-0x000000007487E000-0x000000007487F000-memory.dmp

memory/2008-8-0x0000000074870000-0x0000000075020000-memory.dmp

memory/2008-9-0x0000000006020000-0x000000000604A000-memory.dmp

memory/2008-10-0x0000000006070000-0x0000000006084000-memory.dmp

memory/1156-11-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\62c4757cba47a10510ec481b119ccc84_JaffaCakes118.exe.log

MD5 df27a876383bd81dfbcb457a9fa9f09d
SHA1 1bbc4ab95c89d02ec1d217f0255205787999164e
SHA256 8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc
SHA512 fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

memory/1156-15-0x00000000057E0000-0x0000000005DF8000-memory.dmp

memory/1156-14-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1156-16-0x0000000005110000-0x0000000005122000-memory.dmp

memory/1156-18-0x0000000074870000-0x0000000075020000-memory.dmp

memory/2008-17-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1156-19-0x0000000005170000-0x00000000051AC000-memory.dmp

memory/1156-20-0x00000000051C0000-0x000000000520C000-memory.dmp

memory/1156-21-0x0000000005410000-0x000000000551A000-memory.dmp

memory/1156-22-0x0000000006D70000-0x0000000006F32000-memory.dmp

memory/1156-23-0x0000000007470000-0x000000000799C000-memory.dmp

memory/1156-24-0x0000000006F40000-0x0000000006FA6000-memory.dmp

memory/1156-25-0x0000000008650000-0x00000000086A0000-memory.dmp

memory/1156-31-0x0000000008740000-0x00000000087DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE3FB.tmp

MD5 8e877da5b0d7955b5d2ae8c1f88e79d1
SHA1 7bd854c4b4e5103a909981f374a5a518ff0523a3
SHA256 4190d71f7826d1a949003c7d66b349395653bb7fa4dfbe96369faec592791cc7
SHA512 cf2c8ee34ad02224b2ad2512c2e837647a62e7b4f9b558ef3cf5d03d95a4e100c3948c5a48e4b1e101f294bd973d6f11ba2e3cbb81034f22681fc6bfa429d8e3

C:\Users\Admin\AppData\Local\Temp\tmpE3FC.tmp

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmpE421.tmp

MD5 78855c87b9d2682c8141f1afe227dd1d
SHA1 8b0bf8584c49cf70bebb1b289f765532eb0cb127
SHA256 c9217d14f586d9e694446bcf76f67442b2440af2a3bce5fa593194bcd314f4e0
SHA512 cb54bb1683f31ef4f5f4766745909a48dbf61cbbff409a3a596d8b71d65a9f879c47eb479c67e58dd3a05a0049d5bdbd4215242490a9f552ad131d5ef95975b4

C:\Users\Admin\AppData\Local\Temp\tmpE47D.tmp

MD5 c7983fc4711653ac90e5ef2c9be484bf
SHA1 0378d7fcd9dc68b5a785780afef8b069147479f3
SHA256 ff7d914cade76786ea807552ed12d4ee975536863405636dbd3d8484a6f669cf
SHA512 f298b35a1d6f4f17e2030d257c33e4e8a6c10a47a7d5e42f71385fba6dbfebb75f46ce36b5d257f49169d5536d1e50e0da679cce1da94c8d61a6bd3ec8aa2577

C:\Users\Admin\AppData\Local\Temp\tmpE47E.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpE494.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmpE49A.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/1156-285-0x0000000074870000-0x0000000075020000-memory.dmp