Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 06:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe
-
Size
661.4MB
-
MD5
89673d5799b9408e0db75b1648fa5680
-
SHA1
8bb466d3688acf5c12679049d20e5db1df625504
-
SHA256
5e83d2559380d68372abdf290376a3e2d45eb7156c6820528a55ca3fa92dad09
-
SHA512
46d36f9bf68f4181444c807c227f4a2e19421eb07e9ba246892b2ca5c1f41d0e4642f122bbebc3b8107c7906f965c4758716382abab66b5fd4d427dff7fb2521
-
SSDEEP
12288:lQ7nzJ5vgpptM4Q4z7FR/qaJE+kPVcui7VHqmt0Wj:lQ7VWpXM4Q0F9qI6uuihKs
Malware Config
Extracted
redline
150722
95.217.35.153:9678
-
auth_value
1a411aa3eb1493131bcbb3ee2114771a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/3004-25-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/3004-32-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/3004-31-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
pid Process 2616 Fianco.exe.pif -
Loads dropped DLL 7 IoCs
pid Process 2608 cmd.exe 2616 Fianco.exe.pif 2616 Fianco.exe.pif 2616 Fianco.exe.pif 2616 Fianco.exe.pif 2616 Fianco.exe.pif 2616 Fianco.exe.pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2640 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2616 set thread context of 3004 2616 Fianco.exe.pif 40 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fianco.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2592 cmd.exe 2112 PING.EXE 2512 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 2332 taskkill.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2112 PING.EXE 2512 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2616 Fianco.exe.pif 2616 Fianco.exe.pif 2616 Fianco.exe.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2640 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2616 Fianco.exe.pif 2616 Fianco.exe.pif 2616 Fianco.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2616 Fianco.exe.pif 2616 Fianco.exe.pif 2616 Fianco.exe.pif -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2332 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 28 PID 1860 wrote to memory of 2332 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 28 PID 1860 wrote to memory of 2332 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 28 PID 1860 wrote to memory of 2332 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 28 PID 1860 wrote to memory of 2592 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 30 PID 1860 wrote to memory of 2592 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 30 PID 1860 wrote to memory of 2592 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 30 PID 1860 wrote to memory of 2592 1860 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 30 PID 2592 wrote to memory of 2608 2592 cmd.exe 32 PID 2592 wrote to memory of 2608 2592 cmd.exe 32 PID 2592 wrote to memory of 2608 2592 cmd.exe 32 PID 2592 wrote to memory of 2608 2592 cmd.exe 32 PID 2608 wrote to memory of 2640 2608 cmd.exe 33 PID 2608 wrote to memory of 2640 2608 cmd.exe 33 PID 2608 wrote to memory of 2640 2608 cmd.exe 33 PID 2608 wrote to memory of 2640 2608 cmd.exe 33 PID 2608 wrote to memory of 2372 2608 cmd.exe 34 PID 2608 wrote to memory of 2372 2608 cmd.exe 34 PID 2608 wrote to memory of 2372 2608 cmd.exe 34 PID 2608 wrote to memory of 2372 2608 cmd.exe 34 PID 2608 wrote to memory of 2508 2608 cmd.exe 36 PID 2608 wrote to memory of 2508 2608 cmd.exe 36 PID 2608 wrote to memory of 2508 2608 cmd.exe 36 PID 2608 wrote to memory of 2508 2608 cmd.exe 36 PID 2608 wrote to memory of 2616 2608 cmd.exe 37 PID 2608 wrote to memory of 2616 2608 cmd.exe 37 PID 2608 wrote to memory of 2616 2608 cmd.exe 37 PID 2608 wrote to memory of 2616 2608 cmd.exe 37 PID 2608 wrote to memory of 2112 2608 cmd.exe 38 PID 2608 wrote to memory of 2112 2608 cmd.exe 38 PID 2608 wrote to memory of 2112 2608 cmd.exe 38 PID 2608 wrote to memory of 2112 2608 cmd.exe 38 PID 2592 wrote to memory of 2512 2592 cmd.exe 39 PID 2592 wrote to memory of 2512 2592 cmd.exe 39 PID 2592 wrote to memory of 2512 2592 cmd.exe 39 PID 2592 wrote to memory of 2512 2592 cmd.exe 39 PID 2616 wrote to memory of 3004 2616 Fianco.exe.pif 40 PID 2616 wrote to memory of 3004 2616 Fianco.exe.pif 40 PID 2616 wrote to memory of 3004 2616 Fianco.exe.pif 40 PID 2616 wrote to memory of 3004 2616 Fianco.exe.pif 40 PID 2616 wrote to memory of 3004 2616 Fianco.exe.pif 40 PID 2616 wrote to memory of 3004 2616 Fianco.exe.pif 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\taskkill.exetaskkill hdgshdgeuejhd /?2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2332
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Poggio.sldm & ping -n 5 localhost2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^QATaFuPryUjugXihhJzUthwxgcJclmuAzJlzCtqxabKNHrtmTYYJGRGCmntlvxSFOLMFMOLpJZCHDhNlslBjBvTCeITrqPXXEtZVdmNthOZHgZYkLTSjSGrsRlCrVHpTw$" Corano.sldm4⤵
- System Location Discovery: System Language Discovery
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fianco.exe.pifFianco.exe.pif Z4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe5⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2512
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD550b7d1dd8fe6292a45afe0dc36ec5a00
SHA1206da347c5fe3b54a7ec7dab38fea3b61b29f7de
SHA256ffbc5221d96d85ef8a104749d794a1461f0c41068f9cb03f07ccde47e20c1cf6
SHA512aacf9d767104e75fa448b776615b00008428545f1b68c3c847651e06496cee781b31e420a0e7fdbb872c1290e19351aaf071514a18c32eec4a34a1594e9ede68
-
Filesize
9KB
MD5e3ad0207dc1dd633161367821b32b573
SHA127f172f884bd717f7c7edf8a3fd09aa91bc12cad
SHA256a5c8edc3c46a657b913ad60a55f86d1673847d976d08dede738ca8d1e84f2e5c
SHA51228bc8b477f468f13210fd062871627ddae6a8b1bdb1e2097d60be3d9135b21907158f849cfc3b48f5833461456d015e3ed0a643e6ed1977308dfb27acac9c800
-
Filesize
801KB
MD57bd82729aa3a32262fded6fbd0c75f0f
SHA17561aae7a37523d8b2625bdddc7241a6d1bec0ef
SHA256a714365262ccbbde0f90697b6548e21c8a72c9c3fb2108744379f27fed9db03f
SHA512a2e3e75994c1120590e6491bc0b07b66b449e417eddd9f0847a46bcf6bb8babad2ed008e9287cba68f9e35c5202ba71a5aadbf43e6855c3b1056ef4471fd9316
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06