Overview

overview

10

Static

static

7

JaffaCakes...58.exe

windows7-x64

10

JaffaCakes...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_a8599b9ee6ab5e391788b7e8f183a858.exe

  • Size

    3.0MB

  • MD5

    a8599b9ee6ab5e391788b7e8f183a858

  • SHA1

    d01e832effb7eca779d5387b139925a69fa5f07b

  • SHA256

    00d617e50b3665427f5558404dbaeaac2b55b8413c75ef2e054e532d1d240270

  • SHA512

    cac68e88da9b7f248236678a858d930f1f02b1534d5fc0b1d197fa36540d4b6d74571180c07b0c59cf0356d2951dae4d5dd3a7158a4fe1bb50fa8d7929d239ba

  • SSDEEP

    49152:K94vrZ5XjXmuvZ/vT5A+kCT3dLRI/l4+txZty1GHY+ExwvfZI3kEN5CJfFFIpe:2ofzmuhHTAChFINJQ128wnO3V5WfF6pe

Score
10/10
redlinesectoprat@xmrfraudboydiscoveryevasioninfostealerratthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

@xmrfraudboy

C2

138.124.186.228:13570

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8599b9ee6ab5e391788b7e8f183a858.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8599b9ee6ab5e391788b7e8f183a858.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8599b9ee6ab5e391788b7e8f183a858.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzauc3k1.pkv.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3184-29-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-20-0x00000000063F0000-0x000000000642C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3184-2-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-4-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-8-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-7-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-9-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-6-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-5-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-13-0x0000000000730000-0x0000000000F4C000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3184-12-0x0000000000730000-0x0000000000F4C000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3184-15-0x0000000003170000-0x000000000318E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3184-14-0x0000000002C60000-0x0000000002C74000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3184-16-0x0000000005CA0000-0x0000000006244000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3184-19-0x0000000006350000-0x0000000006362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3184-24-0x0000000000730000-0x0000000000F4C000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3184-28-0x00000000760B0000-0x00000000760B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3184-17-0x0000000006870000-0x0000000006E88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3184-21-0x0000000006620000-0x000000000666C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3184-52-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-50-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-0-0x0000000000730000-0x0000000000F4C000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3184-51-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-3-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-18-0x0000000006F30000-0x0000000006FC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3184-49-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-1-0x00000000760B0000-0x00000000760B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3184-48-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3184-25-0x0000000009B70000-0x0000000009C7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3852-56-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3852-43-0x0000000005F20000-0x0000000005F3E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3852-27-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3852-23-0x0000000005160000-0x0000000005788000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3852-45-0x0000000006430000-0x000000000644A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3852-44-0x0000000006F00000-0x0000000006F96000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3852-46-0x00000000064A0000-0x00000000064C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3852-47-0x00000000083D0000-0x0000000008A4A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3852-42-0x0000000005AB0000-0x0000000005E04000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3852-36-0x0000000005860000-0x00000000058C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3852-37-0x0000000005940000-0x00000000059A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3852-26-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3852-22-0x0000000002650000-0x0000000002686000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3852-55-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3852-54-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3852-30-0x00000000057C0000-0x00000000057E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3852-65-0x0000000076090000-0x0000000076180000-memory.dmp

    Filesize

    960KB

    Download