Overview

overview

10

Static

static

3

JaffaCakes...fc.exe

windows7-x64

10

JaffaCakes...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_c884991c01d2854cd2d9b46f792207fc.exe

  • Size

    7.3MB

  • MD5

    c884991c01d2854cd2d9b46f792207fc

  • SHA1

    3f1549e8aaea2119361caa588d47de42aab0dc47

  • SHA256

    914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e

  • SHA512

    0fade5bc588ea78f9dc589ca2c1223ae6141e6eae3af92a7d660f5343ebfb798b6de1c6011f52061ef2a2cc29800615420dbaaa68b7fac3f10b6a0a0a6da9669

  • SSDEEP

    196608:9dm5Fdkyzf/xH8YRE4iQOr3asgZ9QHfz1afuVClmlB:9gPuybp5E4zO9Rc5ly

Score
10/10
loaderbotredlinexmrig@zenvolorddiscoveryinfostealerloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

http://qqpe4eb7.beget.tech/cmd.php

Extracted

Family

redline

Botnet

@zenvolord

C2

185.209.22.181:29234

Attributes
  • auth_value

    5a0918bd3e8ede8e02c8dd9d106a996d

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • Loaderbot family
    loaderbot
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • LoaderBot executable 3 IoCs
  • XMRig Miner payload 3 IoCs
    miner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c884991c01d2854cd2d9b46f792207fc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c884991c01d2854cd2d9b46f792207fc.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4088
    • C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe
      "C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 228
        3⤵
        • Program crash
        PID:3944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1504 -ip 1504
    1⤵
      PID:4384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe
      Filesize

      4.6MB

      MD5

      eda712f5cca6547e36d2937b9d89fad0

      SHA1

      fb036b0995196539788ad0bcbce0bbb8d2db448e

      SHA256

      860eabc945b4a99255e1bdbcfcc19a6ebf605612d809678ecd329e6f17c4f961

      SHA512

      5ba2ea554cd25c2931a56bfdfd20da2c064c316841d5506178e44591fd67d356595a8a1d8243df753d2691de3e4e9b6bdeb6b979cbc72894f03c07b048aad6a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
      Filesize

      2.7MB

      MD5

      d3b312dc4459edae7159835bcd374b9f

      SHA1

      c4005eeae71227993aa8ddb05ef0fb0816568c25

      SHA256

      4b515944cfb60f4fa648b09cd4f2556c3d77c381189f5e85fd6b6d9e20a974fd

      SHA512

      019b87178e7051970b9868e37343e25e8a5875356b1a7053fee9eb80ff707195d06b8eae35faba066edfc463628f3298368964ab19a49e81d43c7a7fb2b29786

      Download Submit

    • memory/1028-39-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1028-55-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1028-49-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1028-48-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1028-46-0x0000000004E10000-0x0000000004E22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1028-47-0x0000000004F80000-0x000000000508A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1028-45-0x00000000053B0000-0x00000000059C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1028-44-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-34-0x00000000000D5000-0x000000000034B000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1504-35-0x00000000000A0000-0x0000000000532000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1504-28-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-27-0x0000000000A90000-0x0000000000A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-33-0x00000000000A0000-0x0000000000532000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1504-29-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-38-0x00000000000A0000-0x0000000000532000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1504-30-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-31-0x0000000000C00000-0x0000000000C01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-32-0x0000000000C10000-0x0000000000C11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2288-24-0x0000000000400000-0x0000000000B54000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/4088-25-0x00000000007C0000-0x0000000000FC0000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/4088-26-0x00000000007C0000-0x0000000000FC0000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/4088-20-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4088-51-0x00000000064C0000-0x0000000006526000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4088-53-0x0000000073A80000-0x0000000074230000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4088-54-0x00000000007C0000-0x0000000000FC0000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/4088-14-0x00000000007C0000-0x0000000000FC0000-memory.dmp

      Filesize

      8.0MB

      Download