Overview

overview

10

Static

static

3

JaffaCakes...b5.exe

windows7-x64

10

JaffaCakes...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_f0c79126c7a4dc930ea4e1e4e09017b5.exe

  • Size

    4.6MB

  • MD5

    f0c79126c7a4dc930ea4e1e4e09017b5

  • SHA1

    a47859bef56c268a88405370d9c2556d5a4fb253

  • SHA256

    2fa3a2a8cef5c47f46af13eb11cd421f9793a0cba77d8df53c05ff5ead488ee0

  • SHA512

    1793661b774bed282551d960653999f65196f03e1bf4360821a08a9b270337b20cdeb998acbb1367c4557c985ca2aec23022f267ec89bdebe3934e004c736769

  • SSDEEP

    98304:ALO9E237GJYUl1fe84qbxuGOlg3fD9TY08MsTH1WS3Op:bL2J1u/esTUsw

Score
10/10
redlinesectoprat@bibiskopdiscoveryexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

@Bibiskop

C2

176.57.69.148:43862

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0c79126c7a4dc930ea4e1e4e09017b5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0c79126c7a4dc930ea4e1e4e09017b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\AppData\Local\Temp\nslockup.exe
        "C:\Users\Admin\AppData\Local\Temp\nslockup.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\System32\conhost.exe
          "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\nslockup.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:996
          • C:\Windows\System32\cmd.exe
            "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1560
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1648
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2600
          • C:\Windows\System32\cmd.exe
            "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2368
          • C:\Windows\System32\cmd.exe
            "cmd" cmd /c "C:\Users\Admin\services32.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1372
            • C:\Users\Admin\services32.exe
              C:\Users\Admin\services32.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2980
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"
                7⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2576
                • C:\Windows\System32\cmd.exe
                  "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2072
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1016
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2964
                • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1356
                  • C:\Windows\System32\conhost.exe
                    "C:\Windows\System32\\conhost.exe" "/sihost32"
                    9⤵
                      PID:1700
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      aaeb3c6df0dccc6f29da10f55dba328a

      SHA1

      0c2ca9252b2f757329e87354dc483f8b133b0ebc

      SHA256

      ae6b8ca0fca31089b6d55bd5ec5ca4f7103db436f6d50add6094efc32fa20c2d

      SHA512

      e89a2980154254504d58499afc4c654ec545e80e1faec2c26840b7401de1ae2912dff87ed969ea22ca0e956da92353dff5931a9d8e1c10653f3f0e1d215a1a0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab67F9.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar681B.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
      Filesize

      29KB

      MD5

      26182c623fc79809e233ad0e1ad95b3f

      SHA1

      1cad28253b1ca45a7240f1f8990645f4b375b213

      SHA256

      8e6013e034e8a0f9deceb91c95352326c8c1c9bc4499167220113d497feae9d1

      SHA512

      dd41f05ce98e40e587485866da664c835c9cf2cacffab973a0db6bd9e3822f8727d52f5b8c457261eebdba54fa818348f03c9f00b1ea23ef0d0498e981df8dda

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      481f3f56d8c9d844b852380b84d0d29c

      SHA1

      91b56c7aa74c01ff3eda3d43644565a6d7fa5be5

      SHA256

      21ae8244befe4898b3c9512267c43e59bb7a21ea350ebcf9879846998aaf04cd

      SHA512

      d92f8a3fce619a9c54088b31598a9fab5ae8e9dadf6360f9f6deaa3e4cddc62900460da827b124b836bca5a8063258f4290ad9b5ddf0c22250ca4d165852508f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nslockup.exe
      Filesize

      65KB

      MD5

      e31a6207fa3e1a01653b369e4b470843

      SHA1

      261fcb938445bf37fb11d25de7e30286da7e1d74

      SHA256

      bb40bc63c799bbe25e2a3f1a84c424194bd057dec002ecc5e65b11faa2c98339

      SHA512

      035c66661ced7396973f5d14e68d00024526652f3facd46c6e242d1d60c28e78b7ee59c3b66ba9f7d2126d1bd1dff1534266e52f243dc6d3d6487712ca924ed9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      95KB

      MD5

      561f33e56d85a983df6ec1c78ba85153

      SHA1

      6f16876957f4b4711903dd4785b7a034c24240f5

      SHA256

      c117703d313253dbeb48c8db761929f7736affd6477a56113d37227a0b306dbb

      SHA512

      5fdf49a894f6ebd9754e0a146ae27aae2d818af16fd0d3c1734e7794812f7e7936936e7f03b1fd12c80a88762892d9c1144ee6b927f3b46471ac478b60ae59b9

      Download Submit

    • memory/996-68-0x0000000001B90000-0x0000000001BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/996-67-0x0000000000060000-0x000000000006F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1016-97-0x000000001B730000-0x000000001BA12000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1648-74-0x00000000022C0000-0x00000000022C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1648-73-0x000000001B5B0000-0x000000001B892000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1700-209-0x0000000000060000-0x0000000000067000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1700-210-0x00000000001E0000-0x00000000001E6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1800-5-0x0000000000140000-0x0000000000141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-2-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-29-0x0000000000200000-0x0000000000201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-27-0x0000000000200000-0x0000000000201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-24-0x0000000000170000-0x0000000000171000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-44-0x0000000001165000-0x00000000013E3000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1800-22-0x0000000000170000-0x0000000000171000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-19-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-31-0x0000000001130000-0x00000000015CB000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1800-0-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-17-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-14-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-12-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-9-0x0000000000140000-0x0000000000141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-7-0x0000000000140000-0x0000000000141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-33-0x0000000001130000-0x00000000015CB000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1800-4-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-30-0x0000000001165000-0x00000000013E3000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1932-42-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1932-35-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1932-40-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-34-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1932-43-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2600-81-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2600-80-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2868-62-0x00000000742DE000-0x00000000742DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2868-63-0x00000000008C0000-0x00000000008DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2868-64-0x00000000742D0000-0x00000000749BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2868-66-0x00000000742D0000-0x00000000749BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2868-65-0x00000000742DE000-0x00000000742DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2964-110-0x000000001B510000-0x000000001B7F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2964-111-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

      Filesize

      32KB

      Download