Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
5e8176d953bf804a8fc8f97c0b42329b
-
SHA1
a579877186578f93ac32ab866921d3fd71a0465a
-
SHA256
e9dad06eb568f2e548e731525f9ae1e77e40449848f71e4201f6c6f4536415fe
-
SHA512
a74b578b102cc3d9545bcbfae2ef6ce8fabe17c02799a673850b2a9ba41ee241e3e1c25695491e49cbe5facea4dc3713e694864cfbd76d9c097e3808ecad4fa1
-
SSDEEP
49152:oXylc0jCliQf6NA93e5Ma0mJ1brlCJr7G6n45HQ6:8yuAMffjePf/0l4VQ6
Malware Config
Extracted
redline
qwertybld
135.181.170.169:36855
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SectopRAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3080-2-0x0000000000B50000-0x0000000001036000-memory.dmp family_sectoprat behavioral2/memory/3080-3-0x0000000000B50000-0x0000000001036000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe -
Processes:
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exepid process 3080 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exepid process 3080 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe 3080 5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e8176d953bf804a8fc8f97c0b42329b_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3080