Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-12-2024 00:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe
-
Size
690.8MB
-
MD5
6f08f29d29f20c346f3ce0f48eff9501
-
SHA1
4da2b9b4c09533b69bab68992b104815b47da766
-
SHA256
31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832
-
SHA512
9ffa3b0c7415a950c970b726f15b5224100af1c08578aacfd2b24dec6c8a086f67c7419105ca6e5bcb2a70c1bc4b172ad8a5f7db091da3e6c46bce68569d9d03
-
SSDEEP
3072:lX1S3AqhsHHTK5VByymUk3BPtSgeFoxT6Wo+tPS9+7MmA6EtLhps5nz0gwAksmGO:lleAqhm4ItDSgTV09m9+hxG
Malware Config
Extracted
redline
1420836138_99
dragrun.top:28786
-
auth_value
4aadbeb8eb384fe698f24dde846a0759
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2712-8-0x0000000000090000-0x00000000000D4000-memory.dmp family_redline behavioral1/memory/2712-9-0x0000000000090000-0x00000000000D4000-memory.dmp family_redline behavioral1/memory/2712-2-0x0000000000090000-0x00000000000D4000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2092 set thread context of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31 PID 2092 wrote to memory of 2712 2092 JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31b98e6b868401f59434e04b6f1576f3e5c7b3415c03547255dae66a3b3f3832.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2712
-