Overview

overview

10

Static

static

3

JaffaCakes...fc.exe

windows7-x64

10

JaffaCakes...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_c884991c01d2854cd2d9b46f792207fc.exe

  • Size

    7.3MB

  • MD5

    c884991c01d2854cd2d9b46f792207fc

  • SHA1

    3f1549e8aaea2119361caa588d47de42aab0dc47

  • SHA256

    914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e

  • SHA512

    0fade5bc588ea78f9dc589ca2c1223ae6141e6eae3af92a7d660f5343ebfb798b6de1c6011f52061ef2a2cc29800615420dbaaa68b7fac3f10b6a0a0a6da9669

  • SSDEEP

    196608:9dm5Fdkyzf/xH8YRE4iQOr3asgZ9QHfz1afuVClmlB:9gPuybp5E4zO9Rc5ly

Score
10/10
loaderbotredlinexmrig@zenvolorddiscoveryinfostealerloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

http://qqpe4eb7.beget.tech/cmd.php

Extracted

Family

redline

Botnet

@zenvolord

C2

185.209.22.181:29234

Attributes
  • auth_value

    5a0918bd3e8ede8e02c8dd9d106a996d

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • Loaderbot family
    loaderbot
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • XMRig Miner payload 3 IoCs
    miner
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • LoaderBot executable 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 26 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c884991c01d2854cd2d9b46f792207fc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c884991c01d2854cd2d9b46f792207fc.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1832
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1716
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1728
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2672
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1756
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2348
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2852
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1788
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1848
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2940
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:596
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1776
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:940
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2712
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1284
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1480
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2968
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2852
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2696
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:800
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2984
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1516
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:2016
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        PID:1292
    • C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe
      "C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe
    Filesize

    4.6MB

    MD5

    eda712f5cca6547e36d2937b9d89fad0

    SHA1

    fb036b0995196539788ad0bcbce0bbb8d2db448e

    SHA256

    860eabc945b4a99255e1bdbcfcc19a6ebf605612d809678ecd329e6f17c4f961

    SHA512

    5ba2ea554cd25c2931a56bfdfd20da2c064c316841d5506178e44591fd67d356595a8a1d8243df753d2691de3e4e9b6bdeb6b979cbc72894f03c07b048aad6a7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dllhost.exe
    Filesize

    2.7MB

    MD5

    d3b312dc4459edae7159835bcd374b9f

    SHA1

    c4005eeae71227993aa8ddb05ef0fb0816568c25

    SHA256

    4b515944cfb60f4fa648b09cd4f2556c3d77c381189f5e85fd6b6d9e20a974fd

    SHA512

    019b87178e7051970b9868e37343e25e8a5875356b1a7053fee9eb80ff707195d06b8eae35faba066edfc463628f3298368964ab19a49e81d43c7a7fb2b29786

    Download Submit

  • \Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    4.6MB

    MD5

    4eef3a16234b50ad80f46b0928ec125d

    SHA1

    1dfc138538234f09bec31bebc2645733f34cc166

    SHA256

    9709fb3d2694cd95a4e1f26ec6ae491a6cec56cac5e69840e9ad876b1053ff5a

    SHA512

    311e7476596fc282d3940a702fb08c9192cb163a77a910f8b39043e39849fa7b1e48de135dcec9871871e651a5f491f06dd193ed788eadd10c63ac6678246208

    Download Submit

  • memory/1876-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1876-55-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1876-57-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1876-63-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1876-64-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2248-10-0x0000000000400000-0x0000000000B54000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/2248-11-0x0000000003B90000-0x0000000004390000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2784-14-0x0000000000D90000-0x0000000001590000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2784-69-0x0000000000D90000-0x0000000001590000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2784-47-0x0000000000D90000-0x0000000001590000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2820-45-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-29-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-24-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-22-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-20-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-19-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-17-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-27-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-33-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-35-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-38-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-40-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-43-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-46-0x0000000001200000-0x0000000001692000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2820-15-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download