Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
24449e8379cfa7ac8bd4626f2733d9dd
-
SHA1
6893666bc6fdcf4754670918442dcc5e3163b071
-
SHA256
18ea9c80e8c3049120e236fdaf3653822f6974ac665da6fa92d922412fad96f0
-
SHA512
7a68e0006b592435d313e2b0a1b3976cb092aba11b01d7a7843495424d9cdf2b65cdf6c9358629c935dbfd28a9e80ee405fbe1807fedd3a29f8127e8377a0f1c
-
SSDEEP
49152:SWxRB1ZgLs8yyNd0w7HqLp4qGMmAI6nTaXiQ5w7:ZnB0RyyQtL7GM46nTaXjw7
Malware Config
Extracted
redline
build1
135.181.170.169:36855
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/memory/1708-2-0x00000000003D0000-0x000000000088E000-memory.dmp family_sectoprat behavioral1/memory/1708-3-0x00000000003D0000-0x000000000088E000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1708 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1708 24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24449e8379cfa7ac8bd4626f2733d9dd_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1708