Analysis
-
max time kernel
143s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:59
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe
-
Size
788.0MB
-
MD5
4b5aac23177e4025904694536bfdffbf
-
SHA1
0712b3545a92eea6173b5244ed56438ff391775e
-
SHA256
40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb
-
SHA512
397f54fc4ab75fc2424844dd4c672e01a62c350e0d8e72ea178da92ee3684f7de27fdc8576064aadc87a45beb6afd9d0bd7f4073422d49c1068e44db611a416b
-
SSDEEP
3145728:K/VEoseAyU5iFSWLTtsB6zrZDIXQKs9ePv:K/VEbeAyUoFSWLyqlDlKs9ePv
Malware Config
Extracted
redline
@mossad_rat2
94.142.138.191:2369
-
auth_value
9c14ebaa47bb822162e82a6441198c73
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/5040-4-0x0000000000800000-0x0000000000830000-memory.dmp family_redline -
Redline family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2444 set thread context of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83 PID 2444 wrote to memory of 5040 2444 JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40ba3fecbb83d20040de0ebba581d3874aaabc7f831d767afd846120a693d4bb.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5040
-