Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2025, 18:26 UTC

General

  • Target

    JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe

  • Size

    2.3MB

  • MD5

    72919bf5ac55f584c67da2004287e124

  • SHA1

    97d545f94fbac0bb6458ec0a1dcedcf969f7cf93

  • SHA256

    b275923761c65cf5ed348b36508d1369d59f1fe4cd471acbd995b7c16df27cb9

  • SHA512

    cdc82826777156b258d8642375088e7fe46b807ba59793b082129cded2f0f76427f64de74421db82c9ebac1568a692dd361176f5c5bca65f1d1af0d2b4f16c5d

  • SSDEEP

    49152:H5+hFHxq1JcJ05gwY7xnXst4sQWKh+BH8gjlPh4Tcaxiz8lVHTIioOFZQ+v:H5aFRqxl6hyHHa+BH1jngcaxiqZ7v

Malware Config

Extracted

Family

redline

Botnet

@normhhd

C2

62.182.156.24:12780

Attributes
  • auth_value

    bb67ccc49d44343128ca161d7fe51029

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:1776
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e file.zip -p___________4167pwd23162pwd24256pwd3899pwd21523pwd6183pwd5060___________ -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1504
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_10.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4108
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_9.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3672
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_8.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3972
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_7.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3964
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_6.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2428
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_5.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3960
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_4.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_3.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1728
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4808
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4160
        • C:\Windows\system32\attrib.exe
          attrib +H "@normhhd.exe"
          3⤵
          • Views/modifies file attributes
          PID:4076
        • C:\Users\Admin\AppData\Local\Temp\main\@normhhd.exe
          "@normhhd.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2368

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      29.153.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.153.16.2.in-addr.arpa
      IN PTR
      Response
      29.153.16.2.in-addr.arpa
      IN PTR
      a2-16-153-29deploystaticakamaitechnologiescom
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      53.210.109.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.210.109.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      166.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      166.190.18.2.in-addr.arpa
      IN PTR
      Response
      166.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-166deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 62.182.156.24:12780
      @normhhd.exe
      260 B
      5
    • 62.182.156.24:12780
      @normhhd.exe
      260 B
      5
    • 62.182.156.24:12780
      @normhhd.exe
      260 B
      5
    • 62.182.156.24:12780
      @normhhd.exe
      260 B
      5
    • 62.182.156.24:12780
      @normhhd.exe
      260 B
      5
    • 62.182.156.24:12780
      @normhhd.exe
      260 B
      5
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      29.153.16.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      29.153.16.2.in-addr.arpa

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      53.210.109.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      53.210.109.20.in-addr.arpa

    • 8.8.8.8:53
      166.190.18.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      166.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\@normhhd.exe

      Filesize

      104KB

      MD5

      d62aa042df33a547e8285b3ecd32ecd2

      SHA1

      1f0b1039b8ac46c445d74fad6d072a73129ff740

      SHA256

      6e7b7247eb14418b43d9ac257e3b1600e428c66010ddfc6f34f51c5b0b86a6a4

      SHA512

      0de47d94bd894518d695e955eb8a4917c867ecc8732613e688989dd1e38294152398fb7d5300e67f46620c5509530d91c4b4ab238b19b07085cb5f87534b3930

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

      Filesize

      2.1MB

      MD5

      5e2fb08e59b7efe2bd28f55206cb9daf

      SHA1

      f906c3263aa09bc6a57b76032ad4f72b75944c02

      SHA256

      9df4a6b489ff097789f275822f7a7d63606c254db3af4ecb1ed143e64f18a2c3

      SHA512

      e107d5e29f8a1bde0a38180a31185f8d6f39aa12e47622330fdecb0a7635cfa7da1ce053840dbe99062c61339c94b1126bea9b973e51a7ba76d27e9ab622a196

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

      Filesize

      43KB

      MD5

      0a27e7638db4cec0b87ceaae07dfb208

      SHA1

      536af2de69ac9a03e1e10b3b8ac044be4ff72a22

      SHA256

      e4da2a07234c1a916865f67584d9204bd52a8c9aa7720cb4875f059d1c799edf

      SHA512

      e16361c467aabb8885c14d88d1c762634ea31e55766714fa5f3d46f9ae2838a804b4729e58cc2905c83ea1aff1ae278eb0a02c6bfbc3f2e907de80364c430d2e

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

      Filesize

      1.6MB

      MD5

      c5e94de79269bc96d05151025867592f

      SHA1

      089d3b402f0a477bf527268763c189e4c4d2f6aa

      SHA256

      cb3cacd0dfd5785f9c5d594cc2ba75216b9d0e786cfca39e72bd5f62311a5d08

      SHA512

      5f3801af1659afea30003ba411db86e93d21f77638047fb2968e3b5e895520096bbb614cec8b01489e3a2c9ca59690f780abc3e1d0b6a69796f3601436f64545

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

      Filesize

      43KB

      MD5

      14dfcb2fc9f3ccc2805cf2e77107b7c2

      SHA1

      51cd7b0c4a112dd51fbb3a5e213118c0e2621a0d

      SHA256

      4b18ec68c07bd31b824fcda431b27a98bbcdd3604b4e8bd0868b2b6c6dd8d11f

      SHA512

      355a934108debd184b71f05ef53d67840773fbadb2d2a2beffd6d4f47434d8fcc0605ce8defa57a09583143f7f6bc07881b58341fe8167775096aaa66a3ee59e

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

      Filesize

      44KB

      MD5

      a8939febfebb028225a1ff386dd53eb1

      SHA1

      cebf6e5e860b141e64135b23061c818b6fdc9771

      SHA256

      fa16c85d14e26ba0f729c8c7e9d165c45dc3d3c7c6dc7b6c380074aa5eaf2d0c

      SHA512

      48bce1305bcfe5e429e8a1edf48246dc166d8bf276769cc24a8af7cce7f7a6772dc24ad5b0b993a00ed5d95121b965bff0d468725609e28dbefae4fa6430c882

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

      Filesize

      44KB

      MD5

      98aa6e7bc005c5ce78968397acb465dd

      SHA1

      9ffd1d0df4e5f1c2c80891411247b829cf299471

      SHA256

      ec80bc892c5e96a9ff5eb2b1aa9ca3e4594513907c5d00619bb80fb84a33cb44

      SHA512

      777ccb5b6baf6f662555dab0c40123a670bbfcd4154e99619cb7ac7a6549089f1a3962e955caa4adbf969c5ae43709a8560ebf3cecd6ed01788094806b600dfe

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

      Filesize

      44KB

      MD5

      d0091e189f8a95a4dfa6343988bb54d5

      SHA1

      938d5b1062d20c115e7a749cd6bb022c22ac963d

      SHA256

      52f3b6b861b7a8d57b50ae59a32a94ec5e7e4f700ea333c1ba503bae9e91b04e

      SHA512

      c5819ebd17072b84e3d2df377d96e0849632e86c9e1ed57077002c7ed068547f88d1b8be9b7d63ae781d6a8847e7c85a1e5e98f07e662da741400962e0c65256

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

      Filesize

      44KB

      MD5

      85159e9eda153788caefa180f612a374

      SHA1

      9c0f4b2ba7505e1b9cb62f82ba9205408e232a04

      SHA256

      551064a6cff12417ef8c2845bfe2c86c5198840ad36c02b7f45518546ff20c0b

      SHA512

      176748cc65602bbb4dbcf37f090810bd5c421a88e31f469663a120ee52f7f4ab61fb3904abee42b294b555385ad79920f0a643f299fc40d0c049b841d4c6c168

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

      Filesize

      44KB

      MD5

      2181fdb9223135d9a4c5f94a7f0934ec

      SHA1

      1b914913e99e4cb0d0376e79fb540a174587e720

      SHA256

      dc85b5f5b1915bb047f64e7d1f61cb41f74834715169865382356603b1f6472d

      SHA512

      62442cee6276db9ad5f31ccbbbb2aa8a0495d3ee837dfb4f83d8235dd4148789568129c23e72a6f4a7440afb4348ea7e682e22516d665267b4c12c7a779c06d3

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

      Filesize

      44KB

      MD5

      3f7b39e2c17f35ab4a7986aa632e9f5d

      SHA1

      87a1e2ec15985db8c9dab3e5de0bec3209ed933d

      SHA256

      0b2914bbe6dafba31b615854a8a07dc01f0a1b0a562dc4d2561d82e3be7e50ff

      SHA512

      077f136eb36355c4dcee272bcb5de03efa3f70326ca2856e4b4ed8735a28cfc3dec6ddddd1107b8f1e83c8477f3a99186737fb24d0848c7c894b0a16cfcffd2e

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

      Filesize

      44KB

      MD5

      fd63e687196b25f937d65baec300fef5

      SHA1

      ab9633e937eaa3f0c5780fb7b8d9ea1935f5e6a1

      SHA256

      bebe5ae980715fae41fd339fddc20885e19aa5013decf3998706b8ed5dbb4879

      SHA512

      7110f00a38433fe7f432312469954b80e4ca3198a360fc5604cc0c3df62b2577c013809124eae99f84f827d0984852db22489bb3bc74c4d88739640c7a5ce854

    • C:\Users\Admin\AppData\Local\Temp\main\file.bin

      Filesize

      1.6MB

      MD5

      2b462118d8aa6b3c686472b5393c9738

      SHA1

      7a2cf1de9e60227614c7735100e3e58580ee8e48

      SHA256

      ede7d0fd13ddb2702fe993a6dd607ed1a867c026acfd77cf08f535144891ef4e

      SHA512

      b1bf622c499fe4fd4dc4c4e289d21051e309c57393f20eb68dde7d4dca6731523ccb5b3b4b0520e8f2909349b72efb36af5a6f1b019b5d156f82a4315e286e67

    • C:\Users\Admin\AppData\Local\Temp\main\main.bat

      Filesize

      513B

      MD5

      5173e9e9092d4155efa2264de7d78b46

      SHA1

      83342b01bbad2438f4f1daeca7813f1ee01ca48e

      SHA256

      4cfe442148bd608a48ffdc2359e17d9393e5a2c29963154d8b3bd8da01ff2dd0

      SHA512

      e10f657be0f095a338fab4f4e855458ef897dec240a5dee38c0156d2084911dd20dacdc610abcb33c2db9887753e6ce0cc3b5d7286e55e11d356b9291df37071

    • memory/2368-84-0x00000000055B0000-0x0000000005BC8000-memory.dmp

      Filesize

      6.1MB

    • memory/2368-87-0x0000000005070000-0x00000000050AC000-memory.dmp

      Filesize

      240KB

    • memory/2368-88-0x00000000050B0000-0x00000000050FC000-memory.dmp

      Filesize

      304KB

    • memory/2368-86-0x0000000005140000-0x000000000524A000-memory.dmp

      Filesize

      1.0MB

    • memory/2368-85-0x0000000005010000-0x0000000005022000-memory.dmp

      Filesize

      72KB

    • memory/2368-83-0x0000000000790000-0x00000000007B0000-memory.dmp

      Filesize

      128KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.