Overview

overview

10

Static

static

3

JaffaCakes...f6.exe

windows7-x64

10

JaffaCakes...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 00:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe

  • Size

    802KB

  • MD5

    f27bbd676025bd515c3202b94dff8ef6

  • SHA1

    39949785532d90fd4ace3faf87ace6311b15ff22

  • SHA256

    e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2bdea925c9bdb6aa1f43

  • SHA512

    2472b5f44cb2ccb4b55e2b87427564db2e59147bf555e61fbab11ae2b50a751a7e32caf78e2c419693b91008b6361764063ca0e9c8df8e44f41f55682c6b4723

  • SSDEEP

    24576:pAT8QE+kwrcszsNcf7fZhB0xxq+SxHKTcFX:pAI+3zsO7ffB0xr0qw

Score
10/10
redlinevidar915v4discoveryinfostealerstealer

Malware Config

Extracted

Family

redline

Botnet

V4

C2

3.17.66.208:50383

Attributes
  • auth_value

    7d7838681b4703ce5a8521eb0b68ca0c

Extracted

Family

vidar

Version

41.5

Botnet

915

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    915

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Vidar Stealer 5 IoCs
    stealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Program Files (x86)\FastPc\FastPc\Faster.exe
      "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 1 -w 100
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:604
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 1 -w 900
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:556
    • C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
      "C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Program Files (x86)\FastPc\FastPc\Fast.exe
      "C:\Program Files (x86)\FastPc\FastPc\Fast.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 688
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
    Filesize

    103KB

    MD5

    bb7db2a053187c745dbafd790698bb40

    SHA1

    59c2abc023c9e7d6ffe37253cd6b3b041be694af

    SHA256

    f3f66f68f10dd0291956577ad36fc5a3a1fb25114128fa61206b00e274315bf3

    SHA512

    da6edcb05483571faecd00fd4aaab48a1e82a5bd91af2783044dea142f933dd0a929cd8c9f4e6f3e0dfcec6f47fa17db0ce42d0876c6b79525d412efe61f6c0c

    Download Submit

  • \Program Files (x86)\FastPc\FastPc\Fast.exe
    Filesize

    716KB

    MD5

    37f9ed9d61e6463796aeeb8b72fe3b37

    SHA1

    0a70b57a1a674a881ca23405532848e31acfe770

    SHA256

    a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

    SHA512

    979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

    Download Submit

  • \Program Files (x86)\FastPc\FastPc\Faster.exe
    Filesize

    12KB

    MD5

    f711d75ce1395b0508eb9e070c049ddc

    SHA1

    84d0d9ac0cbd18ee40bf8ea5677924199cc86682

    SHA256

    e1df59a397c7669a857c4e796ba9461522ca40147654e7e66f0996e12b45158c

    SHA512

    c83056b9484d2a066be74e2f1e8ecca8a49d165fb54736eb69bfde279023af20a506514ced2160d12ed9875d441313d0fadc710beebb3c739c69286e85deaa96

    Download Submit

  • memory/2080-36-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2708-44-0x0000000000B90000-0x0000000000BB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2708-69-0x00000000744EE000-0x00000000744EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-38-0x00000000744EE000-0x00000000744EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-66-0x0000000000A20000-0x0000000000B20000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2752-42-0x0000000000B20000-0x0000000000BF6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2752-43-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2752-41-0x0000000000A20000-0x0000000000B20000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2752-65-0x0000000000400000-0x00000000008E3000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2752-68-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2752-67-0x0000000000B20000-0x0000000000BF6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2968-64-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-40-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2968-37-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

    Filesize

    4KB

    Download