Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 15:39

General

  • Target

    e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    e222be0565282bbd796d02f502b3940e

  • SHA1

    e3f8f52b25d2e9d32ec0b1fa66fab8979c84be3a

  • SHA256

    325e22d8dba548d64047458fde7d8dda2fcfcc1e711f0dc46630c9750dd4ea9f

  • SHA512

    947bd604839ba08cc95018bbeb2c18473ea86a52814f3bd8d8d9cb4e478735253d34e83bfa7cdd06a8524b0b3124ed6c373cd4eb17cf3b4397cba90abcc3a6df

  • SSDEEP

    49152:55+hFiL/0cAr+wWZVuxTrm2PUf26RUSVT3MIUlf2xiz8lVHTIioOFZQ+0:55aFiL/07SwWZAx3Vcf2UZ62xiqZ70

Malware Config

Extracted

Family

redline

Botnet

@p1pk466

C2

45.14.49.109:54819

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Sectoprat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:2276
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e file.zip -p -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3460
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1484
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3164
        • C:\Windows\system32\attrib.exe
          attrib +H "@p1pk466.exe"
          3⤵
          • Views/modifies file attributes
          PID:904
        • C:\Users\Admin\AppData\Local\Temp\svchost\@p1pk466.exe
          "@p1pk466.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@p1pk466.exe

      Filesize

      100KB

      MD5

      c925d81a2dd75773b97e6a8d13f6fb4b

      SHA1

      b6dcd52b9e9a403622aebe65b40e56b22fa98d86

      SHA256

      0e4c8e36333ce5f43f665d0cb82ce84c4a37a28a0682264e4fa953d5ad6a6ad4

      SHA512

      c82838e6b1cd6b401749c51aac8f53ff5ddebc3c33fffc1d3700231c7b4333e0506ce3881e059e87eb7bcf1424af800b051ba9a51a8b691f542dd58adad3f5c0

    • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

      Filesize

      2.0MB

      MD5

      5df9e79bb04b19fcab6b85a73413be85

      SHA1

      430f1a97ffe91b03594a8713142b065b786c7083

      SHA256

      99ea3b24d8ae6c5c7f60aa3672323cf63e5bc5cb62dafc753c798f91ecb05201

      SHA512

      b62b1a720e50d774515aa3522b5dbd66bbfb6220b6689cb5a9380b3aa1db5b97f85cc6c538c7f509509e7e70b6f58c9934236d495b19fbafba33bd4d2e71b12d

    • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

      Filesize

      40KB

      MD5

      4254c4b84d63195c954dc5a3279f7b95

      SHA1

      e06d63515ce330877c64c502ccbe8fe7a934050d

      SHA256

      860e803573dfc9db7acd05fae0b83c952ac97d4afb3e6c90bfc4ebdca8839dce

      SHA512

      608034e95ac3227e7815445db0f42fb4a7cb9806ad4b66ba533ea25ca7be43a6ae742d2a0750da1db01a08c926c928e35325b3cebc78d01d1d2b04856b10d082

    • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

      Filesize

      1.5MB

      MD5

      109887f17629acd9fe674602f268a5ad

      SHA1

      69784340bd71cc64cfce4f22f27071ca342d9ec1

      SHA256

      bfd112804ac9a57132537ae209236284f79eea7c154f99288889fa678d0f9761

      SHA512

      1408cea8a0358567179ff0438b62dec12569f4cd8c3a4e8bf1f1aca67f3bc012330a974ea86d76338831c0475f6e2424c0654f30c8c958c2cece02318f6a4bf1

    • C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

      Filesize

      1.5MB

      MD5

      d59bcada5b0f85c3ea964411e2c07a14

      SHA1

      4d09caebb39f3fa8052c1aed1d1fb8e168eaf2d8

      SHA256

      a1b94fafd51679a362fe826747a07c79b2f8d4014eb025f1dd36d82c119690ae

      SHA512

      b9725f76db5e08a5d9b3dd7e699327f633891224e5e02efe92f9d968c192e5b004bba4a29b19b3dd6d93485280c48fc2786874b63ff9bd9f8ae4e583a778c770

    • C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

      Filesize

      452B

      MD5

      0ff61ab3b929d84c244cc237695b19e9

      SHA1

      f2cd2da60c8477707de03cd761004a9f519c8b9e

      SHA256

      e78b5a017124a16b0c5c53bb390a70afc894369a296baee32fd59a5a78ec5796

      SHA512

      2648162d627cdc26314b47933da41b80d7be60c6247e6759d642aee422384fd7d3fad01627ecb9fe4451a9dc15c53c0fb1d1ebec47ad4f3d25e6bf43b69a9a5a

    • memory/2328-35-0x00000000006F0000-0x000000000070E000-memory.dmp

      Filesize

      120KB

    • memory/2328-36-0x00000000054D0000-0x0000000005AE8000-memory.dmp

      Filesize

      6.1MB

    • memory/2328-37-0x0000000004F70000-0x0000000004F82000-memory.dmp

      Filesize

      72KB

    • memory/2328-38-0x0000000004FD0000-0x000000000500C000-memory.dmp

      Filesize

      240KB

    • memory/2328-39-0x0000000005010000-0x000000000505C000-memory.dmp

      Filesize

      304KB

    • memory/2328-40-0x0000000005310000-0x000000000541A000-memory.dmp

      Filesize

      1.0MB