Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 14:16
Static task
static1
Behavioral task
behavioral1
Sample
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
bc12a78e9fa9d478519f478da7110aac
-
SHA1
f71f87cffff4d5703a28c5cb2185827de2a69cae
-
SHA256
50ac59102c7262beed7f3957c7eef1efcd70617f1013f312540c2f545b366925
-
SHA512
b0b866c605efdd3673d4e990f35b473b4990ffab2dde63cc997316bd6889129e44992e08ad7268a0777f84025706357dfc9c9534049011872af219ac100f14dc
-
SSDEEP
49152:dxd9gk9S5AOsU44eeU5PiHmQgK6OAdD/InraQip6n:dxd9gkg5ApieeU5UmvdDIrmMn
Malware Config
Extracted
redline
qwertybld
135.181.170.169:36855
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SectopRAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4260-2-0x0000000000330000-0x00000000007D4000-memory.dmp family_sectoprat behavioral2/memory/4260-3-0x0000000000330000-0x00000000007D4000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe -
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exepid process 4260 bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exepid process 4260 bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe 4260 bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc12a78e9fa9d478519f478da7110aac_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4260