Overview

overview

10

Static

static

1

JaffaCakes...c1.exe

windows7-x64

10

JaffaCakes...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-01-2025 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_83e526f8bfc46d6e36280cecec659cc1.exe

  • Size

    1.2MB

  • MD5

    83e526f8bfc46d6e36280cecec659cc1

  • SHA1

    eb2a8108072fa34a559f63d2ea5cf856a96d2154

  • SHA256

    adc87f7ea711a1a3dd2de34647ec7b8a933588b35bf7ad3499d255e669e5f4f6

  • SHA512

    b05a71712788ae2b412ef18d28e27860ae64992a85122b161e6d62ba2eed20bc7fefd21bd0d19aa59380cb19f22d7ec293ac31fb61a84b546faf49ac862f9000

  • SSDEEP

    12288:unp+wJ9GeeYwTVlCOCQWAKeAaf/+YQZ7QQ6m1N4LWgViFd1kXanGJAWCG2GBKf/N:uOeZ7YymWgpkM4us

Score
10/10
redlinesectoprat@andrey_dolmatovdiscoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

@andrey_dolmatov

C2

212.86.102.118:22117

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83e526f8bfc46d6e36280cecec659cc1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83e526f8bfc46d6e36280cecec659cc1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    536e791d9fc4d87481b9505962c0bb3a

    SHA1

    c78c5dcb33a4aa77906a3be5e195e17d7f27da9d

    SHA256

    390356d3313c7286954a5ae335501f541d604c14d0dde8a8ca73dc29c1829c04

    SHA512

    0717bfc887cc1640ee8ea7071a8cb6da97044929a5de0f9e153be7f09d4b7295291a479e216187790c047afa62f67049d2aca158c9e4a962d8e602601deeb4bd

    Download Submit

  • memory/2524-0-0x000000007481E000-0x000000007481F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-1-0x0000000000DD0000-0x0000000000EFA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2948-9-0x000000007412E000-0x000000007412F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-10-0x0000000000210000-0x000000000022E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2948-11-0x0000000074120000-0x000000007480E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2948-12-0x000000007412E000-0x000000007412F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-13-0x0000000074120000-0x000000007480E000-memory.dmp

    Filesize

    6.9MB

    Download