Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 15:39
Static task
static1
Behavioral task
behavioral1
Sample
e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
e222be0565282bbd796d02f502b3940e
-
SHA1
e3f8f52b25d2e9d32ec0b1fa66fab8979c84be3a
-
SHA256
325e22d8dba548d64047458fde7d8dda2fcfcc1e711f0dc46630c9750dd4ea9f
-
SHA512
947bd604839ba08cc95018bbeb2c18473ea86a52814f3bd8d8d9cb4e478735253d34e83bfa7cdd06a8524b0b3124ed6c373cd4eb17cf3b4397cba90abcc3a6df
-
SSDEEP
49152:55+hFiL/0cAr+wWZVuxTrm2PUf26RUSVT3MIUlf2xiz8lVHTIioOFZQ+0:55aFiL/07SwWZAx3Vcf2UZ62xiqZ70
Malware Config
Extracted
redline
@p1pk466
45.14.49.109:54819
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023c9e-32.dat family_redline behavioral2/memory/2328-35-0x00000000006F0000-0x000000000070E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023c9e-32.dat family_sectoprat behavioral2/memory/2328-35-0x00000000006F0000-0x000000000070E000-memory.dmp family_sectoprat -
Sectoprat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 3460 7z.exe 1484 7z.exe 3164 7z.exe 2328 @p1pk466.exe -
Loads dropped DLL 3 IoCs
pid Process 3460 7z.exe 1484 7z.exe 3164 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @p1pk466.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 3460 7z.exe Token: 35 3460 7z.exe Token: SeSecurityPrivilege 3460 7z.exe Token: SeSecurityPrivilege 3460 7z.exe Token: SeRestorePrivilege 1484 7z.exe Token: 35 1484 7z.exe Token: SeSecurityPrivilege 1484 7z.exe Token: SeSecurityPrivilege 1484 7z.exe Token: SeRestorePrivilege 3164 7z.exe Token: 35 3164 7z.exe Token: SeSecurityPrivilege 3164 7z.exe Token: SeSecurityPrivilege 3164 7z.exe Token: SeDebugPrivilege 2328 @p1pk466.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3940 wrote to memory of 4448 3940 e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe 83 PID 3940 wrote to memory of 4448 3940 e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe 83 PID 4448 wrote to memory of 2276 4448 cmd.exe 85 PID 4448 wrote to memory of 2276 4448 cmd.exe 85 PID 4448 wrote to memory of 3460 4448 cmd.exe 86 PID 4448 wrote to memory of 3460 4448 cmd.exe 86 PID 4448 wrote to memory of 1484 4448 cmd.exe 87 PID 4448 wrote to memory of 1484 4448 cmd.exe 87 PID 4448 wrote to memory of 3164 4448 cmd.exe 88 PID 4448 wrote to memory of 3164 4448 cmd.exe 88 PID 4448 wrote to memory of 904 4448 cmd.exe 89 PID 4448 wrote to memory of 904 4448 cmd.exe 89 PID 4448 wrote to memory of 2328 4448 cmd.exe 90 PID 4448 wrote to memory of 2328 4448 cmd.exe 90 PID 4448 wrote to memory of 2328 4448 cmd.exe 90 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 904 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e222be0565282bbd796d02f502b3940e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\system32\mode.commode 65,103⤵PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\system32\attrib.exeattrib +H "@p1pk466.exe"3⤵
- Views/modifies file attributes
PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\@p1pk466.exe"@p1pk466.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
100KB
MD5c925d81a2dd75773b97e6a8d13f6fb4b
SHA1b6dcd52b9e9a403622aebe65b40e56b22fa98d86
SHA2560e4c8e36333ce5f43f665d0cb82ce84c4a37a28a0682264e4fa953d5ad6a6ad4
SHA512c82838e6b1cd6b401749c51aac8f53ff5ddebc3c33fffc1d3700231c7b4333e0506ce3881e059e87eb7bcf1424af800b051ba9a51a8b691f542dd58adad3f5c0
-
Filesize
2.0MB
MD55df9e79bb04b19fcab6b85a73413be85
SHA1430f1a97ffe91b03594a8713142b065b786c7083
SHA25699ea3b24d8ae6c5c7f60aa3672323cf63e5bc5cb62dafc753c798f91ecb05201
SHA512b62b1a720e50d774515aa3522b5dbd66bbfb6220b6689cb5a9380b3aa1db5b97f85cc6c538c7f509509e7e70b6f58c9934236d495b19fbafba33bd4d2e71b12d
-
Filesize
40KB
MD54254c4b84d63195c954dc5a3279f7b95
SHA1e06d63515ce330877c64c502ccbe8fe7a934050d
SHA256860e803573dfc9db7acd05fae0b83c952ac97d4afb3e6c90bfc4ebdca8839dce
SHA512608034e95ac3227e7815445db0f42fb4a7cb9806ad4b66ba533ea25ca7be43a6ae742d2a0750da1db01a08c926c928e35325b3cebc78d01d1d2b04856b10d082
-
Filesize
1.5MB
MD5109887f17629acd9fe674602f268a5ad
SHA169784340bd71cc64cfce4f22f27071ca342d9ec1
SHA256bfd112804ac9a57132537ae209236284f79eea7c154f99288889fa678d0f9761
SHA5121408cea8a0358567179ff0438b62dec12569f4cd8c3a4e8bf1f1aca67f3bc012330a974ea86d76338831c0475f6e2424c0654f30c8c958c2cece02318f6a4bf1
-
Filesize
1.5MB
MD5d59bcada5b0f85c3ea964411e2c07a14
SHA14d09caebb39f3fa8052c1aed1d1fb8e168eaf2d8
SHA256a1b94fafd51679a362fe826747a07c79b2f8d4014eb025f1dd36d82c119690ae
SHA512b9725f76db5e08a5d9b3dd7e699327f633891224e5e02efe92f9d968c192e5b004bba4a29b19b3dd6d93485280c48fc2786874b63ff9bd9f8ae4e583a778c770
-
Filesize
452B
MD50ff61ab3b929d84c244cc237695b19e9
SHA1f2cd2da60c8477707de03cd761004a9f519c8b9e
SHA256e78b5a017124a16b0c5c53bb390a70afc894369a296baee32fd59a5a78ec5796
SHA5122648162d627cdc26314b47933da41b80d7be60c6247e6759d642aee422384fd7d3fad01627ecb9fe4451a9dc15c53c0fb1d1ebec47ad4f3d25e6bf43b69a9a5a