Overview

overview

10

Static

static

3

aa587896ae...18.exe

windows7-x64

10

aa587896ae...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa587896aed2ffa708a0d2f636856034_JaffaCakes118.exe

  • Size

    923KB

  • MD5

    aa587896aed2ffa708a0d2f636856034

  • SHA1

    f906c6e8df5613b9773777f94a6b1a8ad408ed14

  • SHA256

    cb1e959421818bfd984d74595d0b5df2c2b709ea1c14881a30838ae4ed2a0d5f

  • SHA512

    ec01c8855428b8558ad8d224e55934d74608b61e93be0427e04de200657c6d2bbfa6cc0b0b2712e43534a2310a842b3459ec1012fc11609afb76d739a743a24c

  • SSDEEP

    24576:mSLXbC4FylKrdLLkB59d12GUBeHKANy4onenuqds1kXx+:VrylKpoBxjUBP2S6uqGmh+

Score
10/10
redlinesectopratfelix1008discoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

felix1008

C2

193.188.22.4:45689

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa587896aed2ffa708a0d2f636856034_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aa587896aed2ffa708a0d2f636856034_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\System32\dllhost.exe"
      2⤵
        PID:4200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd < Per.mdb
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4080
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^ZHOJmZdMpJQvRMzCBqksNzVigmIPegogVyRZYHxxrBVgqJwHVDOKiYUGLHxZsAJVABAMVzEUFQgjbHuFnwTnAniWllgdjxrCRqOnogLBZUtdKHorAPBdGlcwxECKyh$" Improvvisa.mdb
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4448
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com
            Esistenza.exe.com f
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3868
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com f
              5⤵
              • Drops startup file
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3584
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:220
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost -n 30
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Improvvisa.mdb
      Filesize

      872KB

      MD5

      7359ca53b5f1d00a5517e69889f224f9

      SHA1

      546120dad248c270937f6c2e79f86af0e5ab7827

      SHA256

      95e272d36b98e7f3c2e350153c7286d41f04dce42628d80960a64320736aa4d0

      SHA512

      e615697c71b4b966d1f278eafdffb151be5608afd34e01f12df625a92e9125c388c70b3d9c4bd333b3f29fc4bf512d6a0ae3fd39086c4a47263e6f31a8c992b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Per.mdb
      Filesize

      595B

      MD5

      39c82ae673566e85ead3cbc77d816fa7

      SHA1

      8657dc20a4c5aa7a4b92ceb910ff4b7800bcf079

      SHA256

      33f6e7441dd4c77f4ee09246892dc1f3ac8b47fafd3e23381370487ce945802f

      SHA512

      fdf511ce6997f76df432ec714c85a06442de2076eb4fb0c8df838b46ddb8538fd0e9889dd38474de99d6815fa64dff29dc5c7f872ef2175ede60d4e0d9d3522b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.mdb
      Filesize

      100KB

      MD5

      0bd380c0a1b3c2c7062f06e328349e0f

      SHA1

      1ae28136d4346fbd8f8875421155607497eb4060

      SHA256

      9a0fc3d17c51d84d57acc54b1e43c90af26cf7d8982fbf713a55784dcd8ec35a

      SHA512

      6a72eef757d4b96e7b39fb1791813822b8eca1b757720f5ad6c69dd15a2b84bf43683c427eeb59e8dae4924f1637d39a9d9510ed6e7a37cb3ebeb6b7645effcb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tele.mdb
      Filesize

      898KB

      MD5

      d9bc3d12858707e659291a737e78c703

      SHA1

      919430d2a7929d16848ac48b761b43fc6538afd5

      SHA256

      75c490c20734f68b5f6ebcb519eca2b3e7ef7ebe63139baa1cf50f881dc83373

      SHA512

      d0ed004b8c3cf8ceca91ce403835b427d43e563e966e7254dfc06604cd654369909dd28dfc7486c8e16108ef590dc287bee2d4c05e85e5808c7ee92ef979ed52

      Download Submit

    • memory/220-29-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/220-32-0x0000000005770000-0x0000000005D88000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/220-33-0x0000000005200000-0x0000000005212000-memory.dmp

      Filesize

      72KB

      Download

    • memory/220-34-0x00000000052A0000-0x00000000052DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/220-35-0x00000000052E0000-0x000000000532C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/220-36-0x0000000005550000-0x000000000565A000-memory.dmp

      Filesize

      1.0MB

      Download