Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe
-
Size
356KB
-
MD5
179dbbdb6e22f978115168d87a70ab33
-
SHA1
324a73e17fdcada034d3ad841286f9d6b5873fcb
-
SHA256
258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463
-
SHA512
237a58b819f086f9ed2215e99d7b13ed027d252e47a3ba17deb5b28e3db27f853f2d2d75bdbfb3b875dec8dc0fa4fb059e3be6e41dc3b47b2020c2298a6b0358
-
SSDEEP
6144:zo9QlVmhcIS/rwO+l7qYspB2NnYXmJ8tuy2a9W17fyF45pDBKoydJ:zdxrwHRqxQNYXO8tt2aw1DyWPDO
Malware Config
Extracted
redline
@bestiefFcs
37.1.213.214:63028
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/11728-2516-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/11728-2516-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs
Abuse Regasm to proxy execution of malicious code.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 11728 RegAsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 11728 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2956 set thread context of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 896 powershell.exe 2556 powershell.exe 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 896 powershell.exe Token: SeIncreaseQuotaPrivilege 896 powershell.exe Token: SeSecurityPrivilege 896 powershell.exe Token: SeTakeOwnershipPrivilege 896 powershell.exe Token: SeLoadDriverPrivilege 896 powershell.exe Token: SeSystemProfilePrivilege 896 powershell.exe Token: SeSystemtimePrivilege 896 powershell.exe Token: SeProfSingleProcessPrivilege 896 powershell.exe Token: SeIncBasePriorityPrivilege 896 powershell.exe Token: SeCreatePagefilePrivilege 896 powershell.exe Token: SeBackupPrivilege 896 powershell.exe Token: SeRestorePrivilege 896 powershell.exe Token: SeShutdownPrivilege 896 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeSystemEnvironmentPrivilege 896 powershell.exe Token: SeRemoteShutdownPrivilege 896 powershell.exe Token: SeUndockPrivilege 896 powershell.exe Token: SeManageVolumePrivilege 896 powershell.exe Token: 33 896 powershell.exe Token: 34 896 powershell.exe Token: 35 896 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeIncreaseQuotaPrivilege 2556 powershell.exe Token: SeSecurityPrivilege 2556 powershell.exe Token: SeTakeOwnershipPrivilege 2556 powershell.exe Token: SeLoadDriverPrivilege 2556 powershell.exe Token: SeSystemProfilePrivilege 2556 powershell.exe Token: SeSystemtimePrivilege 2556 powershell.exe Token: SeProfSingleProcessPrivilege 2556 powershell.exe Token: SeIncBasePriorityPrivilege 2556 powershell.exe Token: SeCreatePagefilePrivilege 2556 powershell.exe Token: SeBackupPrivilege 2556 powershell.exe Token: SeRestorePrivilege 2556 powershell.exe Token: SeShutdownPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeSystemEnvironmentPrivilege 2556 powershell.exe Token: SeRemoteShutdownPrivilege 2556 powershell.exe Token: SeUndockPrivilege 2556 powershell.exe Token: SeManageVolumePrivilege 2556 powershell.exe Token: 33 2556 powershell.exe Token: 34 2556 powershell.exe Token: 35 2556 powershell.exe Token: SeDebugPrivilege 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe Token: SeDebugPrivilege 11728 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2956 wrote to memory of 896 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 31 PID 2956 wrote to memory of 896 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 31 PID 2956 wrote to memory of 896 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 31 PID 2956 wrote to memory of 896 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2556 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 34 PID 2956 wrote to memory of 2556 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 34 PID 2956 wrote to memory of 2556 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 34 PID 2956 wrote to memory of 2556 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 34 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36 PID 2956 wrote to memory of 11728 2956 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe"1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZML68D2X6NJXQTJGKMFG.temp
Filesize7KB
MD5cd9a7bfb2d8e555767196da38c0c9847
SHA174c67d44d8e0ba45c07547ef501243bc2bea5e62
SHA2561af434d484130e8aad3d622efe4e73c8840418d6eba28e593ff0c1263b87a360
SHA5123d1e8340aa9db92adeb8141ee009a7cd1f6e55c50362a9cbe21477241c2d58e56a4a9c6c65141840f3eb58a74a08282feb29d88106b73ed4e7286252ce4fa164
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD569512e86988e7745483bdb0ecbf8d1ca
SHA19b6a6e0b06c0470bbe76603a4ef4414c11915f77
SHA2561f6d76bfd9ca4c03640432f08b884b38f3108319bdbc66e499c7c93da0fb783f
SHA5126bf20c63125b691de706efde1be4c65b1f320bd1638241b99f10a4879daf476b3653071c93738e16f3b9091372a78d9047528f1cb433eda3504d80ba30a33a54
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab