Analysis

  • max time kernel
    138s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 16:13

General

  • Target

    JaffaCakes118_d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe

  • Size

    700.0MB

  • MD5

    9a2c573e882d31251e1bcd07ba90585f

  • SHA1

    d46878f2ad28df08972371a617bce73ae623523c

  • SHA256

    d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e

  • SHA512

    40ac3d1cca6bb8eb7ccfb0d1ae0467423b0355ee5cded84b1095a284f08cecbd70325b808df933d47a7af60081470ad71ee1021e724759227379052302ff3894

  • SSDEEP

    98304:h9eCUTzzphq1G/jxZIo0YYUOJimJJQYts5JcyTcvg6BtufkCJ:PefTzVhqpP9JvgpTcvf7ufz

Malware Config

Extracted

Family

redline

Botnet

Notepad_2

C2

194.36.177.124:39456

Attributes
  • auth_value

    37464cc4dd294b9925a8c1092e1c72a9

Signatures

  • Detect PureCrypter injector 1 IoCs
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Purecrypter family
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\timeout.exe
          timeout 10
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2752
      • C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
        "C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2636
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsy458A.tmp\ioSpecial.ini

    Filesize

    1KB

    MD5

    33bdef54523d7a4d0545d18fb143570a

    SHA1

    b374ab4674804b3c45d70e3507ef5973704b6285

    SHA256

    1e0d6de76527ae8cb6c2671b46e7c807e9a28a36b4920038451eeffc12255b88

    SHA512

    6b4a2f75febed0d25d17c1c56590203cec4a322e85f4b72b5bd1516e03c8cf7f817c48d2ad08f99a8c8a84ae386dddc3b0447026de7df9f74e38954618af95b8

  • \Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe

    Filesize

    4.3MB

    MD5

    542c0f910db312aa76c75d5cdbf76844

    SHA1

    18f608b6220c392ddde0194352b3faf7a10608d1

    SHA256

    6d80dcfdb5a979eb11de1ebbf5733a101fbe4cd8f7c1ac10f651e71fadf52e4a

    SHA512

    087f415c20d485cc322be24ae43f730ae7edfa6f64fe78828727a8cf47a0207d18a9b45769f9f3228cd5012c7d34244ccc7edb3e93ba0cc263c4370153fe4a0d

  • \Users\Admin\AppData\Local\Temp\nsy458A.tmp\InstallOptions.dll

    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

  • \Users\Admin\AppData\Local\Temp\nsy458A.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    68b287f4067ba013e34a1339afdb1ea8

    SHA1

    45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    SHA256

    18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    SHA512

    06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

  • \Users\Admin\AppData\Local\Temp\nsy458A.tmp\System.dll

    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

  • \Users\Admin\AppData\Local\Temp\nsy458A.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    6c3f8c94d0727894d706940a8a980543

    SHA1

    0d1bcad901be377f38d579aafc0c41c0ef8dcefd

    SHA256

    56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

    SHA512

    2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

  • memory/1684-11-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/1684-43-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/1684-12-0x0000000006560000-0x00000000069EA000-memory.dmp

    Filesize

    4.5MB

  • memory/1684-6-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

  • memory/1684-10-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

  • memory/1684-13-0x0000000000250000-0x000000000029C000-memory.dmp

    Filesize

    304KB

  • memory/1684-7-0x0000000000CC0000-0x000000000116E000-memory.dmp

    Filesize

    4.7MB

  • memory/1684-8-0x00000000053D0000-0x0000000005858000-memory.dmp

    Filesize

    4.5MB

  • memory/1684-9-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-31-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2688-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2688-37-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2688-35-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2688-40-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2688-41-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2688-42-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2688-33-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB