Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe
-
Size
1024KB
-
MD5
73af1e55e0dd26fbbb68c774c92cc525
-
SHA1
8616b22442ad17a0a729686d5376d409de403f55
-
SHA256
f535ab1b315411a456a7f121e1666c37a513f567ff4f6e6fa0e5392efbcb3bab
-
SHA512
d394a548f8cdf1b7068f4b0f29bc1e277fa591b00078233cd5aa37ddf1f7c67913aef1d8d28861d4804226159d27f6d288ec49057bcfab5b82b1955391e4b0b8
-
SSDEEP
24576:9k70TrcCUsAr38zPlJA1fHWAaaS5E6e7KAa:9kQTApV38zfA1Rn7KA
Malware Config
Extracted
redline
mix
193.38.55.28:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2384-5-0x0000000000400000-0x0000000000430000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exedescription pid process target process PID 4524 set thread context of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2672 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2384 RegAsm.exe Token: SeDebugPrivilege 2672 taskkill.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exeRegAsm.execmd.exedescription pid process target process PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 4524 wrote to memory of 2384 4524 73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe RegAsm.exe PID 2384 wrote to memory of 320 2384 RegAsm.exe cmd.exe PID 2384 wrote to memory of 320 2384 RegAsm.exe cmd.exe PID 2384 wrote to memory of 320 2384 RegAsm.exe cmd.exe PID 320 wrote to memory of 2672 320 cmd.exe taskkill.exe PID 320 wrote to memory of 2672 320 cmd.exe taskkill.exe PID 320 wrote to memory of 2672 320 cmd.exe taskkill.exe PID 320 wrote to memory of 3160 320 cmd.exe choice.exe PID 320 wrote to memory of 3160 320 cmd.exe choice.exe PID 320 wrote to memory of 3160 320 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73af1e55e0dd26fbbb68c774c92cc525_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 2384 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 23844⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:3160
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2384-13-0x00000000051D0000-0x000000000521C000-memory.dmpFilesize
304KB
-
memory/2384-11-0x00000000050F0000-0x0000000005102000-memory.dmpFilesize
72KB
-
memory/2384-16-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/2384-15-0x0000000005410000-0x000000000551A000-memory.dmpFilesize
1.0MB
-
memory/2384-9-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/2384-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2384-14-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/2384-10-0x00000000057F0000-0x0000000005E08000-memory.dmpFilesize
6.1MB
-
memory/2384-12-0x0000000005150000-0x000000000518C000-memory.dmpFilesize
240KB
-
memory/4524-7-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/4524-8-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/4524-4-0x0000000005370000-0x0000000005432000-memory.dmpFilesize
776KB
-
memory/4524-0-0x00000000747DE000-0x00000000747DF000-memory.dmpFilesize
4KB
-
memory/4524-1-0x0000000004D00000-0x0000000004DC4000-memory.dmpFilesize
784KB
-
memory/4524-2-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/4524-3-0x0000000004DC0000-0x0000000005364000-memory.dmpFilesize
5.6MB