Analysis
-
max time kernel
4s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 14:43
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe
-
Size
930.0MB
-
MD5
3ad9cd498f060013a18c40a8cad0d445
-
SHA1
969aaa9e855d9340460f25ece9ffa6bd3864608a
-
SHA256
c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce
-
SHA512
6ee4c67fe6a76d5bb20d08afb064ee266649b3213332b83943b491024f8fc86f73b9edd1eb29cd347afa6c030a0ee08a07a916eee347ad69755120e996cc3355
-
SSDEEP
25165824:Cnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnf:Cnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnf
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2304 wrote to memory of 1872 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 32 PID 2304 wrote to memory of 1872 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 32 PID 2304 wrote to memory of 1872 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 32 PID 2304 wrote to memory of 1872 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 32 PID 2304 wrote to memory of 1936 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 33 PID 2304 wrote to memory of 1936 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 33 PID 2304 wrote to memory of 1936 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 33 PID 2304 wrote to memory of 1936 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 33 PID 2304 wrote to memory of 3016 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 34 PID 2304 wrote to memory of 3016 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 34 PID 2304 wrote to memory of 3016 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 34 PID 2304 wrote to memory of 3016 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 34 PID 2304 wrote to memory of 2708 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 35 PID 2304 wrote to memory of 2708 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 35 PID 2304 wrote to memory of 2708 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 35 PID 2304 wrote to memory of 2708 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 35 PID 2304 wrote to memory of 2976 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 36 PID 2304 wrote to memory of 2976 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 36 PID 2304 wrote to memory of 2976 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 36 PID 2304 wrote to memory of 2976 2304 JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c93af8d94c03adaf209946a1d98e54620a9392199ff677fc32a3c0e32b9e70ce.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:1872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:1936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:3016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2976
-