Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 06:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe
-
Size
661.4MB
-
MD5
89673d5799b9408e0db75b1648fa5680
-
SHA1
8bb466d3688acf5c12679049d20e5db1df625504
-
SHA256
5e83d2559380d68372abdf290376a3e2d45eb7156c6820528a55ca3fa92dad09
-
SHA512
46d36f9bf68f4181444c807c227f4a2e19421eb07e9ba246892b2ca5c1f41d0e4642f122bbebc3b8107c7906f965c4758716382abab66b5fd4d427dff7fb2521
-
SSDEEP
12288:lQ7nzJ5vgpptM4Q4z7FR/qaJE+kPVcui7VHqmt0Wj:lQ7VWpXM4Q0F9qI6uuihKs
Malware Config
Extracted
redline
150722
95.217.35.153:9678
-
auth_value
1a411aa3eb1493131bcbb3ee2114771a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4964-23-0x00000000011B0000-0x00000000011D0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
pid Process 3260 Fianco.exe.pif -
Loads dropped DLL 6 IoCs
pid Process 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2216 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3260 set thread context of 4964 3260 Fianco.exe.pif 109 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fianco.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2520 cmd.exe 5004 PING.EXE 2324 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 3788 taskkill.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 5004 PING.EXE 2324 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2216 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3260 Fianco.exe.pif 3260 Fianco.exe.pif 3260 Fianco.exe.pif -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3340 wrote to memory of 3788 3340 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 83 PID 3340 wrote to memory of 3788 3340 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 83 PID 3340 wrote to memory of 3788 3340 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 83 PID 3340 wrote to memory of 2520 3340 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 85 PID 3340 wrote to memory of 2520 3340 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 85 PID 3340 wrote to memory of 2520 3340 JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe 85 PID 2520 wrote to memory of 1636 2520 cmd.exe 87 PID 2520 wrote to memory of 1636 2520 cmd.exe 87 PID 2520 wrote to memory of 1636 2520 cmd.exe 87 PID 1636 wrote to memory of 2216 1636 cmd.exe 88 PID 1636 wrote to memory of 2216 1636 cmd.exe 88 PID 1636 wrote to memory of 2216 1636 cmd.exe 88 PID 1636 wrote to memory of 2832 1636 cmd.exe 89 PID 1636 wrote to memory of 2832 1636 cmd.exe 89 PID 1636 wrote to memory of 2832 1636 cmd.exe 89 PID 1636 wrote to memory of 3716 1636 cmd.exe 92 PID 1636 wrote to memory of 3716 1636 cmd.exe 92 PID 1636 wrote to memory of 3716 1636 cmd.exe 92 PID 1636 wrote to memory of 3260 1636 cmd.exe 93 PID 1636 wrote to memory of 3260 1636 cmd.exe 93 PID 1636 wrote to memory of 3260 1636 cmd.exe 93 PID 1636 wrote to memory of 5004 1636 cmd.exe 94 PID 1636 wrote to memory of 5004 1636 cmd.exe 94 PID 1636 wrote to memory of 5004 1636 cmd.exe 94 PID 2520 wrote to memory of 2324 2520 cmd.exe 102 PID 2520 wrote to memory of 2324 2520 cmd.exe 102 PID 2520 wrote to memory of 2324 2520 cmd.exe 102 PID 3260 wrote to memory of 4964 3260 Fianco.exe.pif 109 PID 3260 wrote to memory of 4964 3260 Fianco.exe.pif 109 PID 3260 wrote to memory of 4964 3260 Fianco.exe.pif 109 PID 3260 wrote to memory of 4964 3260 Fianco.exe.pif 109 PID 3260 wrote to memory of 4964 3260 Fianco.exe.pif 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bb466d3688acf5c12679049d20e5db1df625504.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\taskkill.exetaskkill hdgshdgeuejhd /?2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3788
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Poggio.sldm & ping -n 5 localhost2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^QATaFuPryUjugXihhJzUthwxgcJclmuAzJlzCtqxabKNHrtmTYYJGRGCmntlvxSFOLMFMOLpJZCHDhNlslBjBvTCeITrqPXXEtZVdmNthOZHgZYkLTSjSGrsRlCrVHpTw$" Corano.sldm4⤵
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fianco.exe.pifFianco.exe.pif Z4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe5⤵
- System Location Discovery: System Language Discovery
PID:4964
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5004
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2324
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD550b7d1dd8fe6292a45afe0dc36ec5a00
SHA1206da347c5fe3b54a7ec7dab38fea3b61b29f7de
SHA256ffbc5221d96d85ef8a104749d794a1461f0c41068f9cb03f07ccde47e20c1cf6
SHA512aacf9d767104e75fa448b776615b00008428545f1b68c3c847651e06496cee781b31e420a0e7fdbb872c1290e19351aaf071514a18c32eec4a34a1594e9ede68
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
9KB
MD5e3ad0207dc1dd633161367821b32b573
SHA127f172f884bd717f7c7edf8a3fd09aa91bc12cad
SHA256a5c8edc3c46a657b913ad60a55f86d1673847d976d08dede738ca8d1e84f2e5c
SHA51228bc8b477f468f13210fd062871627ddae6a8b1bdb1e2097d60be3d9135b21907158f849cfc3b48f5833461456d015e3ed0a643e6ed1977308dfb27acac9c800
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
801KB
MD57bd82729aa3a32262fded6fbd0c75f0f
SHA17561aae7a37523d8b2625bdddc7241a6d1bec0ef
SHA256a714365262ccbbde0f90697b6548e21c8a72c9c3fb2108744379f27fed9db03f
SHA512a2e3e75994c1120590e6491bc0b07b66b449e417eddd9f0847a46bcf6bb8babad2ed008e9287cba68f9e35c5202ba71a5aadbf43e6855c3b1056ef4471fd9316