Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 09:35

General

  • Target

    JaffaCakes118_f875e7889bc9b22fed2b3ae4e1fd6fb9fcdd961d90340b9ca8acca040dbb9c38.exe

  • Size

    740.7MB

  • MD5

    1ef41688d18258df513ffd6cae9efff8

  • SHA1

    c684d674b51c803dedd44b4eade1bcc1e968d702

  • SHA256

    f875e7889bc9b22fed2b3ae4e1fd6fb9fcdd961d90340b9ca8acca040dbb9c38

  • SHA512

    0bbda315e8ae77839b9838b71da34ef44b6ac7887aff68c92b53b69fc72370c4ea34ea7d4e3678de5d8b838ccc9b83188a73586ddfc414cdfad7cff2293746fc

  • SSDEEP

    393216:8UwOIEK84WQsykAeYnkAeYUaMImg8C0Qu:

Malware Config

Extracted

Family

redline

Botnet

1753096510_99

C2

mevlut.top:28786

Attributes
  • auth_value

    a07030fe3f8bdab3b41f5eec3083470b

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Redline family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f875e7889bc9b22fed2b3ae4e1fd6fb9fcdd961d90340b9ca8acca040dbb9c38.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f875e7889bc9b22fed2b3ae4e1fd6fb9fcdd961d90340b9ca8acca040dbb9c38.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 36
      2⤵
      • Program crash
      PID:916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1636-10-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/1636-9-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/1636-3-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/1636-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/1636-1-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/1636-11-0x00000000747AE000-0x00000000747AF000-memory.dmp

    Filesize

    4KB

  • memory/1636-12-0x00000000747A0000-0x0000000074E8E000-memory.dmp

    Filesize

    6.9MB

  • memory/1636-13-0x00000000747AE000-0x00000000747AF000-memory.dmp

    Filesize

    4KB

  • memory/1636-14-0x00000000747A0000-0x0000000074E8E000-memory.dmp

    Filesize

    6.9MB

  • memory/2640-0-0x0000000000458000-0x0000000000459000-memory.dmp

    Filesize

    4KB