Overview

overview

10

Static

static

3

3d94c97113...18.exe

windows7-x64

10

3d94c97113...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

  • Size

    416KB

  • MD5

    3d94c97113665616bb2ff09440a5bc27

  • SHA1

    5af98e2f9e6183427893987961e049362a57c702

  • SHA256

    586465bf2feff2badcc4abc5e37c030cf8476b836c88803095ee6f53c6e35857

  • SHA512

    5fa61c6fe9a622fc3553af05fd0e5d9600c05dd850f61cd756a79bcfc8e14812a2302387f966cefd651fae94080339c4d7f85184106af9253bb9828fee76a12c

  • SSDEEP

    12288:tttEi0F8ltcKn2HMAS9iLW851+9dN7KOY8N9Oe+9lauWfx7sN8zkdI4+qWcpORzw:R0GZ2Ha9P8K9d9Kbn9

Score
10/10
redlinesectoprat@lockfayinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

@lockfay

C2

194.15.46.144:36848

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
      2⤵
        PID:2576
      • C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
        2⤵
          PID:2600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XYNBXT8T5L5MKJUPI9UE.temp
        Filesize

        7KB

        MD5

        5bce7ca791f710fdae2dbd25bdab5914

        SHA1

        6b8921d3371d18fe46108ef3b6755bc71c13d512

        SHA256

        8b5d7522f937b0d65daae43ea4d5690234872a5f3d316d7ce616e01fcf13955c

        SHA512

        eeed8d9764252c7a31b469d3d0690927e9ccf0c947c5218d7fec9712da1049e6482226406bc92f438bdf0212937698c8450d8712d51ee145265016cb48db9f5d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        ba0b30bd693b1c00680499e4291eb175

        SHA1

        c6c4d6a8ec7354c4d69bc5ad8172948d8d60e89b

        SHA256

        2b536daca0c58eee024befe7cd8d4c17aaea2241f933857e38f66ff2485612a4

        SHA512

        7444a4d0630c80531c526cce88b2c35d650e3ae6ef52366e671d24d253f82953e7b0bad0c4975ba07e7a02397ad1d0e008c141bc64d29b164ba89135dd6200f4

        Download Submit

      • memory/2088-0-0x000000007431E000-0x000000007431F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-1-0x00000000013E0000-0x000000000144E000-memory.dmp

        Filesize

        440KB

        Download

      • memory/2088-10-0x0000000001390000-0x00000000013CA000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2088-11-0x0000000004B80000-0x0000000004BC0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2088-12-0x0000000004850000-0x000000000486C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2128-4-0x0000000002A30000-0x0000000002A70000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2600-13-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2600-15-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2600-19-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2600-17-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2600-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2600-22-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2600-23-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2600-24-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download