Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 05:48
Static task
static1
Behavioral task
behavioral1
Sample
fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe
-
Size
415KB
-
MD5
fba04ac6840b68018f2e34cb163cf37b
-
SHA1
bb4991c7815bf2b1c2e411b4d7cf74261194d65f
-
SHA256
775e884c62bdb526eb6a26abdd14221782ada4ba4a572741a78757d981e997dc
-
SHA512
d04c749ff6a86c87e012d200720f0ebc9a661ef0b046f5436c8bba788d562e12d0566731163fecf95c532fb1217f51fcce2218805702a5263fdb374a30f747a5
-
SSDEEP
6144:5dRVzSkGTxSLD8uq5CaOPs47bhqUdUtX+t49fkR05tvEAK7/QWzBWJ4:5hqxSLo5C1Ps4XhitX+t498RgtMAYdzB
Malware Config
Extracted
redline
FiveMMM
185.215.113.55:36801
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4632-39-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/4632-39-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2020 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 4 IoCs
pid Process 4980 1.exe 4872 Server.exe 4420 css.exe 4632 1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." css.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." css.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4980 set thread context of 4632 4980 1.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language css.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe 4420 css.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4420 css.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1268 wrote to memory of 4980 1268 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 84 PID 1268 wrote to memory of 4980 1268 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 84 PID 1268 wrote to memory of 4980 1268 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 84 PID 1268 wrote to memory of 4872 1268 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 86 PID 1268 wrote to memory of 4872 1268 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 86 PID 1268 wrote to memory of 4872 1268 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 86 PID 4872 wrote to memory of 4420 4872 Server.exe 88 PID 4872 wrote to memory of 4420 4872 Server.exe 88 PID 4872 wrote to memory of 4420 4872 Server.exe 88 PID 4420 wrote to memory of 2020 4420 css.exe 89 PID 4420 wrote to memory of 2020 4420 css.exe 89 PID 4420 wrote to memory of 2020 4420 css.exe 89 PID 4980 wrote to memory of 4632 4980 1.exe 91 PID 4980 wrote to memory of 4632 4980 1.exe 91 PID 4980 wrote to memory of 4632 4980 1.exe 91 PID 4980 wrote to memory of 4632 4980 1.exe 91 PID 4980 wrote to memory of 4632 4980 1.exe 91 PID 4980 wrote to memory of 4632 4980 1.exe 91 PID 4980 wrote to memory of 4632 4980 1.exe 91 PID 4980 wrote to memory of 4632 4980 1.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\1.exeC:\Users\Admin\AppData\Local\Temp\1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4632
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\css.exe"C:\Users\Admin\AppData\Local\Temp\css.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\css.exe" "css.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
700B
MD5e5352797047ad2c91b83e933b24fbc4f
SHA19bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827
-
Filesize
432KB
MD5524cf73258298aea3f30b4fc69fe8133
SHA1e3aee9709dd93b56d7ac07cae1cc17892406f711
SHA256c08cd89bc38d96922bc6c900afd041de7b55d6cec276cc5c7a79eb1869f2b1e5
SHA5120fbd32bbe4f63b8ef0b78c7d28bcfc1e2c6fd8054a56f42b2bbf396a818f70d2c4e3c18caf5758affb8aff134a28be18fc6a863e4f03bc2dc2fc6275f8dd1179
-
Filesize
29KB
MD5c69f5c53bbd00f5d124cdfc040313adc
SHA19c60bbc168a25d7179022b696b6f8eda6df6f54a
SHA256dac36b2a874ef4894c59374759dc454bc3c85d1a1f9321798168195390111857
SHA512a7f8fac7b4a76db0f4b7af0f3b2fc5af9d096af6fac4a0fa299a8c164c846b4190bfce83e38801f70ee6fc990d88cfd111afedcbcdfe278e78387ea8df5b80ed