Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 18:57
Static task
static1
Behavioral task
behavioral1
Sample
e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe
-
Size
298KB
-
MD5
e77ee5479b6e8da5b7f09dfac202647f
-
SHA1
c61d85632f576e96dbc2dde78eff64c08f2858d9
-
SHA256
756151e99176d79019cc0e9c44b5ed9fd81d890d0fd51e49806aeb1f5c8fd8d9
-
SHA512
b568dd024146a9cc53860b67fa492eb1e961b9fbb75cc2b3d893253be50f399f4562f6903524894a553e5ed91b16966dea4b01de9260a83947356904a52cf832
-
SSDEEP
6144:nbdT3QrOeIyAQgtpy5u+eCHNHlOMx2scNZn+8:BT3QiPQg/+us8PsW9
Malware Config
Extracted
redline
@Crypto4ok
185.213.209.36:36533
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2504-37-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2504-37-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exedescription pid Process procid_target PID 1008 set thread context of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exepowershell.exee77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exee77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exepid Process 3668 powershell.exe 3668 powershell.exe 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exee77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 3668 powershell.exe Token: SeDebugPrivilege 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exedescription pid Process procid_target PID 1008 wrote to memory of 3668 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 89 PID 1008 wrote to memory of 3668 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 89 PID 1008 wrote to memory of 3668 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 89 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99 PID 1008 wrote to memory of 2504 1008 e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
C:\Users\Admin\AppData\Local\Temp\e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:81⤵PID:4980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e77ee5479b6e8da5b7f09dfac202647f_JaffaCakes118.exe.log
Filesize1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82