Overview

overview

10

Static

static

3

JaffaCakes...57.exe

windows7-x64

10

JaffaCakes...57.exe

windows10-2004-x64

10

$TEMP/K3M6...22.exe

windows7-x64

10

$TEMP/K3M6...22.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_d12f20d20f23819ef3448bc10873ba57.exe

  • Size

    4.6MB

  • MD5

    d12f20d20f23819ef3448bc10873ba57

  • SHA1

    961ab360fa4588bcf7494a08914a59f029d8f5e7

  • SHA256

    7a5fc736a94166592a370b8b311656517e2df180917bbc61fc688eb7df0915cb

  • SHA512

    392d851bda9796a3c351f5b998df90a5e0f1dc116e3ba66f73ad86d254a1d2ca1c526c3f18cd6f4ede626a1fe4001c7e30af021ada55e1adf57d3faa2f624c16

  • SSDEEP

    98304:Uq8eNY5p0ExtC6RpPwVsniC5u/BDLTABEp0moOjtchoKCa:Uqup0Ex8ArMdPABEp0pAKhfCa

Score
10/10
redline@zxckostyan4ikdiscoveryexecutioninfostealer

Malware Config

Extracted

Family

redline

Botnet

@zxckostyan4ik

C2

95.181.152.6:46927

Attributes
  • auth_value

    cdf3919a262c0d6ba99116b375d7551c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Redline family
    redline
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d12f20d20f23819ef3448bc10873ba57.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d12f20d20f23819ef3448bc10873ba57.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\cmd.exe
        "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1700
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:972
    • C:\Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
      C:\Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1992
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7B064C0D-52AF-4FEE-B22E-BE790C0872FC} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:408
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    51f6032f71042fe7316529a9c1e1bcbf

    SHA1

    66c918635e2d22864cb159858dde3c8555ee762c

    SHA256

    716da1a746eb728537595bccf8e53864685c19f9048ccbfe266eee2f9ab64739

    SHA512

    9e1ade1cc531c4e18c20ee2352313b3865dedf901fd4f3b246704ba98ee657c1a21d77458d74dcd7e82db8adca3d507ae98138c09fd79df39cdfac6970f4280b

    Download Submit

  • C:\Windows\System32\WindowsPro\svchost.exe
    Filesize

    10.1MB

    MD5

    43d10bceb18865e16d5ba84c42f82b2c

    SHA1

    6560eaea33e3a349d20b3e6c904642ca603b416e

    SHA256

    7ce8f82c93c4b4a32b8ab350a880ea0bf5c7bc5cd4c49360c7d9cad3efb26cfe

    SHA512

    42cf0c5038d03f24a232277b89b750b159617cf34441976cd539cf652c10672b6ebaea3fa2b2ee9e38f26cd8fee1c0d783de10a3da153cee43468e2c530df365

    Download Submit

  • \Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
    Filesize

    881KB

    MD5

    ce5a9ec35a54e669820589d15f1faa07

    SHA1

    68a5aaa46aa2ce2c3083486f8e265e050cd421ac

    SHA256

    a5317940f3f36d4c047ef70fcef5aedcdcdb0d9afae7ccfb3220190f09dab15b

    SHA512

    eb097778c480b9e1bd396895ef86727997cb1c0bd1c3d6863a3d711216c2ce64d1ff647987b57c0e67b9b9673526cd28bc83aaf7177e11a9b348e2960f535131

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Selfconvened.exe
    Filesize

    4.5MB

    MD5

    64b5e984fda860eedf19c29a124094fb

    SHA1

    760c195741989e17b48ad52c13bed35e8ea51692

    SHA256

    1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

    SHA512

    187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

    Download Submit

  • memory/408-61-0x00000000001C0000-0x000000000063A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1492-44-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1492-43-0x000000001B5A0000-0x000000001B882000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1700-50-0x000000001B6A0000-0x000000001B982000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1700-51-0x00000000027D0000-0x00000000027D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1992-26-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1992-22-0x00000000745F0000-0x0000000074CDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1992-11-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1992-27-0x00000000745FE000-0x00000000745FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-28-0x00000000745F0000-0x0000000074CDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1992-29-0x0000000000650000-0x0000000000733000-memory.dmp

    Filesize

    908KB

    Download

  • memory/1992-18-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1992-20-0x00000000745FE000-0x00000000745FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-21-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2100-69-0x00000000001D0000-0x000000000064A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3028-32-0x00000000216C0000-0x0000000021964000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3028-24-0x000000001BFB0000-0x000000001C030000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3028-31-0x0000000021310000-0x00000000216B8000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3028-19-0x0000000001130000-0x00000000015AA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3028-30-0x000000001BFB0000-0x000000001C030000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3028-23-0x000000001C4D0000-0x000000001C888000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3028-10-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3028-25-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

    Filesize

    4KB

    Download