Overview

overview

10

Static

static

3

JaffaCakes...aa.exe

windows7-x64

10

JaffaCakes...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_378088eee28e38af84b75eb9dcf671aa.exe

  • Size

    349KB

  • MD5

    378088eee28e38af84b75eb9dcf671aa

  • SHA1

    c091d335658edd3ceb9255ecd7eccc086cbae25e

  • SHA256

    345e261754c2653003e6a59a03a6f7b20a487785f8420366735c641270e1cada

  • SHA512

    6df2f5c354654dd794b326425c035690045eb40bdb489058295d9ef4a5068fd0bfc006006ad72701660bd83bcaeae775b2116c8da6fe38d32a3a02b161e44881

  • SSDEEP

    6144:QUSw3fbq4a6LKXpzdKgneetfFqJTTiabAOPSW7N88e5Qx3e9+D8:Q5w3fbq4a6Lap7CTR+0OsD8

Score
10/10
redlinesectoprat@roxiq1337discoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

@roxiq1337

C2

164.132.202.45:20588

Attributes
  • auth_value

    3e9eda97b6589ac15756de0ba010d48f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Sectoprat family
    sectoprat
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_378088eee28e38af84b75eb9dcf671aa.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_378088eee28e38af84b75eb9dcf671aa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1928-1-0x00000000001E0000-0x00000000002E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2340-3-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2340-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-2-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2340-10-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2340-11-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2340-12-0x00000000749CE000-0x00000000749CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-13-0x00000000749C0000-0x00000000750AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2340-14-0x00000000749CE000-0x00000000749CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-15-0x00000000749C0000-0x00000000750AE000-memory.dmp

    Filesize

    6.9MB

    Download