redline | 22224dbc9deb5666654ae9542ad626b6426c6cb0b34e02b5e75b4617941f8142

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5801c11a8af174c11c10d3f8b61edfa8.exe
Size

2.3MB
MD5

5801c11a8af174c11c10d3f8b61edfa8
SHA1

5c8706cd7d6fde8f4df0931f84439dbc53a72c33
SHA256

22224dbc9deb5666654ae9542ad626b6426c6cb0b34e02b5e75b4617941f8142
SHA512

f2a3499201b32bd77f8906bc5653ab1632dea4f77cfbe6f4938b59e363c205feb29c3314a0f98eb3399ce79ea601569f7c8d234217a1d7e9878bb9572a5689a5
SSDEEP

49152:M5+hFlLY4Xt9TdO14EQBg/GM/OxvBVjkQOtwtqpsSgxiz8lVHTIioOFZQ+c:M5aFlxPTdO14LBTnnjkdtwtq+BxiqZ7c

Score

10^/10

redline @spoon_machine606060 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@Spoon_machine606060

62.182.156.24:12780

Attributes

auth_value
bb67ccc49d44343128ca161d7fe51029

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b83-82.dat	family_redline
behavioral2/memory/1888-83-0x0000000000710000-0x0000000000730000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5801c11a8af174c11c10d3f8b61edfa8.exe

Executes dropped EXE 12 IoCs

pid	Process
772	7z.exe
3976	7z.exe
2228	7z.exe
4864	7z.exe
2428	7z.exe
1304	7z.exe
3572	7z.exe
4424	7z.exe
2860	7z.exe
3064	7z.exe
5036	7z.exe
1888	bild.exe

Loads dropped DLL 11 IoCs

pid	Process
772	7z.exe
3976	7z.exe
2228	7z.exe
4864	7z.exe
2428	7z.exe
1304	7z.exe
3572	7z.exe
4424	7z.exe
2860	7z.exe
3064	7z.exe
5036	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5801c11a8af174c11c10d3f8b61edfa8.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	772	7z.exe
Token: 35	772	7z.exe
Token: SeSecurityPrivilege	772	7z.exe
Token: SeSecurityPrivilege	772	7z.exe
Token: SeRestorePrivilege	3976	7z.exe
Token: 35	3976	7z.exe
Token: SeSecurityPrivilege	3976	7z.exe
Token: SeSecurityPrivilege	3976	7z.exe
Token: SeRestorePrivilege	2228	7z.exe
Token: 35	2228	7z.exe
Token: SeSecurityPrivilege	2228	7z.exe
Token: SeSecurityPrivilege	2228	7z.exe
Token: SeRestorePrivilege	4864	7z.exe
Token: 35	4864	7z.exe
Token: SeSecurityPrivilege	4864	7z.exe
Token: SeSecurityPrivilege	4864	7z.exe
Token: SeRestorePrivilege	2428	7z.exe
Token: 35	2428	7z.exe
Token: SeSecurityPrivilege	2428	7z.exe
Token: SeSecurityPrivilege	2428	7z.exe
Token: SeRestorePrivilege	1304	7z.exe
Token: 35	1304	7z.exe
Token: SeSecurityPrivilege	1304	7z.exe
Token: SeSecurityPrivilege	1304	7z.exe
Token: SeRestorePrivilege	3572	7z.exe
Token: 35	3572	7z.exe
Token: SeSecurityPrivilege	3572	7z.exe
Token: SeSecurityPrivilege	3572	7z.exe
Token: SeRestorePrivilege	4424	7z.exe
Token: 35	4424	7z.exe
Token: SeSecurityPrivilege	4424	7z.exe
Token: SeSecurityPrivilege	4424	7z.exe
Token: SeRestorePrivilege	2860	7z.exe
Token: 35	2860	7z.exe
Token: SeSecurityPrivilege	2860	7z.exe
Token: SeSecurityPrivilege	2860	7z.exe
Token: SeRestorePrivilege	3064	7z.exe
Token: 35	3064	7z.exe
Token: SeSecurityPrivilege	3064	7z.exe
Token: SeSecurityPrivilege	3064	7z.exe
Token: SeRestorePrivilege	5036	7z.exe
Token: 35	5036	7z.exe
Token: SeSecurityPrivilege	5036	7z.exe
Token: SeSecurityPrivilege	5036	7z.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2340	1592	JaffaCakes118_5801c11a8af174c11c10d3f8b61edfa8.exe	82
PID 1592 wrote to memory of 2340	1592	JaffaCakes118_5801c11a8af174c11c10d3f8b61edfa8.exe	82
PID 2340 wrote to memory of 4152	2340	cmd.exe	84
PID 2340 wrote to memory of 4152	2340	cmd.exe	84
PID 2340 wrote to memory of 772	2340	cmd.exe	85
PID 2340 wrote to memory of 772	2340	cmd.exe	85
PID 2340 wrote to memory of 3976	2340	cmd.exe	86
PID 2340 wrote to memory of 3976	2340	cmd.exe	86
PID 2340 wrote to memory of 2228	2340	cmd.exe	87
PID 2340 wrote to memory of 2228	2340	cmd.exe	87
PID 2340 wrote to memory of 4864	2340	cmd.exe	88
PID 2340 wrote to memory of 4864	2340	cmd.exe	88
PID 2340 wrote to memory of 2428	2340	cmd.exe	89
PID 2340 wrote to memory of 2428	2340	cmd.exe	89
PID 2340 wrote to memory of 1304	2340	cmd.exe	90
PID 2340 wrote to memory of 1304	2340	cmd.exe	90
PID 2340 wrote to memory of 3572	2340	cmd.exe	91
PID 2340 wrote to memory of 3572	2340	cmd.exe	91
PID 2340 wrote to memory of 4424	2340	cmd.exe	92
PID 2340 wrote to memory of 4424	2340	cmd.exe	92
PID 2340 wrote to memory of 2860	2340	cmd.exe	93
PID 2340 wrote to memory of 2860	2340	cmd.exe	93
PID 2340 wrote to memory of 3064	2340	cmd.exe	94
PID 2340 wrote to memory of 3064	2340	cmd.exe	94
PID 2340 wrote to memory of 5036	2340	cmd.exe	95
PID 2340 wrote to memory of 5036	2340	cmd.exe	95
PID 2340 wrote to memory of 2972	2340	cmd.exe	96
PID 2340 wrote to memory of 2972	2340	cmd.exe	96
PID 2340 wrote to memory of 1888	2340	cmd.exe	97
PID 2340 wrote to memory of 1888	2340	cmd.exe	97
PID 2340 wrote to memory of 1888	2340	cmd.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5801c11a8af174c11c10d3f8b61edfa8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5801c11a8af174c11c10d3f8b61edfa8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:4152
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p___________26206pwd13570pwd26176pwd10997pwd955pwd13352pwd9295___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_10.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\system32\attrib.exe
    attrib +H "bild.exe"
    3⤵
    - Views/modifies file attributes
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\main\bild.exe
    "bild.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\bild.exe

Filesize
104KB

MD5
ccb99cbba6e71970e4285e1de9075d5b

SHA1
7b068b092f87710e11f25c420cdd92d62b7c1393

SHA256
c386cc11137e680a9a2fa1167a907ab34762f36d8e169a34fd23eb2c40d337bd

SHA512
d140f06bc1a8ab15cdc4f04d6893f917bee17da0b796d62f9639eef5aaca2663a1bf44dcba3db93503a5a6ed841ea10aae4b15a26cec12c007ff0925e5c63ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
a192dbca8f4c0743849fe7d09cb9677f

SHA1
18b3b0c23a232b53acd3e72bc20aaebdbfbd1b9c

SHA256
fa57d6c1aa8a94ffeba7a18ae39ee1f42ef9071a580d3b979b30095f1fb28b30

SHA512
01135269d5ca5f204c547414f50746be0a20fc11f62204ced70489d323293d626280aef328abfaa8c2b560a6906b99003826a734933760a872420393ab17f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
43KB

MD5
b22d22f5c969cdc8e1790db08977e93d

SHA1
96f13dc1f7a9ca5efe05ccca88bc8a0edc32e25e

SHA256
acf2fb7c18fb34946a8196abd7166cdd3e3fa80f5b4062a5ab283a6af6288af4

SHA512
9c7c71cce13602cf3fa1377c540bffad6545545340e8d8e0bd554f4e76f67c3e6feae4974ee556c70c6007730980ab800d174caca7d39b8f1e37c14f4adafacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
1.6MB

MD5
e1006951d4a4e4bd852dfecc70f4a2ad

SHA1
da116cf9bbaf004adcab6271b824af8e0b4ad048

SHA256
ec574a5d916e28e4bdcbea9f14213b31c38e9b2828c608ffbb5ae4a9b2babd6c

SHA512
c8acfb8ce7ecc806c7855f352e35aeb4a48bc7037c91b40ad260dd8045a97791daf5b8ee46daad1c1aad113891dcbe412960d5e95ef5841c95fdcf9bcbe1421e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
43KB

MD5
36a2a5f7660ef8adeaef9022685527ea

SHA1
8ee99b7a84bece50e5caf213925bd353a3f55464

SHA256
0a67da004a3f6ff904618555ad17049e0cb1ade27a4399499a8e703ff0c38a93

SHA512
6a2809098c9f07a3ccbc98c5faa1be9417ad00b8ee1a37a2a4f70db423a64b75e6894cfbb02d0abbf1883a12d9ebca980660e3e6da86be7fc0e788d89cc2e25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
44KB

MD5
fbc50415f90563b4fd4b3ffcd9d3dff8

SHA1
1cc31c7449f19955291c7a3d46596583ef7933c8

SHA256
18c939eb73b1ab4dcb121bf285f6d88dfb14a28db7945f46b6ac3a0f9afdaa0d

SHA512
1c7c671b286f47070c34ff5556186af5075eb85a949ce4a27d6d7ca09ca3636a4bca26a08b428438a01afb634da98e2108d6fbe965d55d63b4e9b92de38916f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
44KB

MD5
7a55f2e4fa69f036c655f01a55197a7d

SHA1
aa41a28a38a49b5a0a9233c76e2965f4df73c8be

SHA256
792548343f6ed2e410f03e5ea351449271ff070412aa8bf5b46fa35e5e4771e6

SHA512
2a5423698ad2ecb0ffd6cd9966f9e74d480c9f5470068e652b2ab4f67f5e4efce4d9b5e96e5df7210abfc8ca1bb33df38bae4425ede5c0dc3ee51f80093a1032

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
44KB

MD5
800ae21bef1f1f8bdae2c7c6b6dae3af

SHA1
1548a33557609ab102027f312b73ac0718855166

SHA256
d27f6f76f47c8b58c12a58e63d095f3cd34d9942c85e6d6e5f96f6f3aa5b86d5

SHA512
2ef9005938e2aab2daf5dda4cfc72002910485e7ffe9838dd1c4d124b74014fd50aba5c62c3761cc313d6bb2088a6254f41aeaf81aa00d2e1d16f51180c3aea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
44KB

MD5
387792c33874bc2a863487ac81df3469

SHA1
61fba5361c199440ca1c532152c763f422d6c2e7

SHA256
9fc37ef6f0e1086ab32dbc5c9e48022c253c416b669bf63f4f608c805efffece

SHA512
6dfe165e0ac017209fbca07ab5dbe377baa47871b858717a9bad753aa5177347eed7724f809716fdad45e0a830c352282773ca6ecd27f4aa864c56a45470b1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
44KB

MD5
c68f6924d67ec6096585e37b6aba0313

SHA1
30858410359e2a71ddfed582896132db682dc19b

SHA256
430922938d21dbf0cad4fedfe10ef256dd8bf60fe809550196597d1ab7f84848

SHA512
29a63e77cdeb199a7af62255f002e470a6b01b5673672c955d436418404b5f670faeb057b3a043d70d553a8e85c32fe7101103d96a54115f06ce860e74ffe52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
44KB

MD5
97b3f5279e32626d2797bac17b922171

SHA1
b5a7f95b77b19101ce2be5af65bad8ed7e937571

SHA256
85d6ba8445f347e3b599c8295c8d098a681273a63aeb0cd02ac870b1fd58184e

SHA512
2da2d9babaad913065fc307ff6c9c23f1f8a33836391d6b23eddb5e62be90c7464cba349d1b3d627f7653b3794ab45f5ae87e60cdfdf4f8fada741a94f539d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
44KB

MD5
da7dce384f814b185c4390b0419cdc5f

SHA1
8b1f9f1c14b9e103ee88bad8ed1fd071776e004e

SHA256
1792d9d30b97116d349eb5763dc34f44457c665515df07e531647645097df1a4

SHA512
0430935d4af2bf047022671fcfeacd3c0d3bddd479cc988250537bb13841cf3fd95208c013c7a770557f2de3dbb687a430ac214ae87118054f3c03d1bfc84f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
9dbad1f9c4de9a66e51f44c5075831ab

SHA1
cf529b2389b138761e410d2e275344b5d02dd231

SHA256
666adcc5b3a309d1856ecd0d326f218a28368f1e7de5181e0a9ae5ed0d895f71

SHA512
7d2c34cfad0aee82b2ccd9a1efee639f7eec628bf3be571430b2e128927fca1f5a5bbe68c71e8dddf861265bc1f95a45d92401f0a87099b6c403c5dd10960bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
494B

MD5
69ca14196e58d8c9d83745e4ade92697

SHA1
686a70cbe32013212666819e13562a357efc242b

SHA256
0c2636ada2fc1909280a043603fb9247f528e6825ecab2efdf37f5bc739e12ab

SHA512
440d10d52c5ef2349105a865f962391d6ff386a61dfe627577a25b42e8cc67d0dc39ba4423fc8be4bed28134be4c7cfb3cb5886a9af9516872a2fc0ff962d90d

Download Submit
memory/1888-90-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/1888-86-0x00000000062F0000-0x0000000006908000-memory.dmp

Filesize
6.1MB

Download
memory/1888-84-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/1888-83-0x0000000000710000-0x0000000000730000-memory.dmp

Filesize
128KB

Download
memory/1888-89-0x00000000056E0000-0x000000000571C000-memory.dmp

Filesize
240KB

Download
memory/1888-88-0x0000000005450000-0x000000000555A000-memory.dmp

Filesize
1.0MB

Download
memory/1888-87-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/1888-85-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download