Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 00:38

General

  • Target

    JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe

  • Size

    802KB

  • MD5

    f27bbd676025bd515c3202b94dff8ef6

  • SHA1

    39949785532d90fd4ace3faf87ace6311b15ff22

  • SHA256

    e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2bdea925c9bdb6aa1f43

  • SHA512

    2472b5f44cb2ccb4b55e2b87427564db2e59147bf555e61fbab11ae2b50a751a7e32caf78e2c419693b91008b6361764063ca0e9c8df8e44f41f55682c6b4723

  • SSDEEP

    24576:pAT8QE+kwrcszsNcf7fZhB0xxq+SxHKTcFX:pAI+3zsO7ffB0xr0qw

Malware Config

Extracted

Family

redline

Botnet

V4

C2

3.17.66.208:50383

Attributes
  • auth_value

    7d7838681b4703ce5a8521eb0b68ca0c

Extracted

Family

vidar

Version

41.5

Botnet

915

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    915

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Vidar Stealer 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Program Files (x86)\FastPc\FastPc\Faster.exe
      "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 1 -w 100
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2832
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 1 -w 900
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4524
    • C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
      "C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3084
    • C:\Program Files (x86)\FastPc\FastPc\Fast.exe
      "C:\Program Files (x86)\FastPc\FastPc\Fast.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4284
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1040
        3⤵
        • Program crash
        PID:4564
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4284 -ip 4284
    1⤵
      PID:4360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\FastPc\FastPc\Fast.exe

      Filesize

      716KB

      MD5

      37f9ed9d61e6463796aeeb8b72fe3b37

      SHA1

      0a70b57a1a674a881ca23405532848e31acfe770

      SHA256

      a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

      SHA512

      979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

    • C:\Program Files (x86)\FastPc\FastPc\Fast_.exe

      Filesize

      103KB

      MD5

      bb7db2a053187c745dbafd790698bb40

      SHA1

      59c2abc023c9e7d6ffe37253cd6b3b041be694af

      SHA256

      f3f66f68f10dd0291956577ad36fc5a3a1fb25114128fa61206b00e274315bf3

      SHA512

      da6edcb05483571faecd00fd4aaab48a1e82a5bd91af2783044dea142f933dd0a929cd8c9f4e6f3e0dfcec6f47fa17db0ce42d0876c6b79525d412efe61f6c0c

    • C:\Program Files (x86)\FastPc\FastPc\Faster.exe

      Filesize

      12KB

      MD5

      f711d75ce1395b0508eb9e070c049ddc

      SHA1

      84d0d9ac0cbd18ee40bf8ea5677924199cc86682

      SHA256

      e1df59a397c7669a857c4e796ba9461522ca40147654e7e66f0996e12b45158c

      SHA512

      c83056b9484d2a066be74e2f1e8ecca8a49d165fb54736eb69bfde279023af20a506514ced2160d12ed9875d441313d0fadc710beebb3c739c69286e85deaa96

    • memory/1624-45-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/3084-60-0x0000000005260000-0x00000000052AC000-memory.dmp

      Filesize

      304KB

    • memory/3084-57-0x00000000052F0000-0x00000000053FA000-memory.dmp

      Filesize

      1.0MB

    • memory/3084-48-0x0000000000940000-0x0000000000960000-memory.dmp

      Filesize

      128KB

    • memory/3084-50-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

    • memory/3084-72-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

    • memory/3084-59-0x0000000005220000-0x000000000525C000-memory.dmp

      Filesize

      240KB

    • memory/3084-52-0x0000000005750000-0x0000000005D68000-memory.dmp

      Filesize

      6.1MB

    • memory/3084-56-0x00000000051C0000-0x00000000051D2000-memory.dmp

      Filesize

      72KB

    • memory/4284-53-0x0000000000B40000-0x0000000000C40000-memory.dmp

      Filesize

      1024KB

    • memory/4284-58-0x0000000000400000-0x00000000004D9000-memory.dmp

      Filesize

      868KB

    • memory/4284-54-0x0000000000DF0000-0x0000000000EC6000-memory.dmp

      Filesize

      856KB

    • memory/4284-71-0x0000000000400000-0x00000000004D9000-memory.dmp

      Filesize

      868KB

    • memory/4284-70-0x0000000000DF0000-0x0000000000EC6000-memory.dmp

      Filesize

      856KB

    • memory/4284-69-0x0000000000400000-0x00000000008E3000-memory.dmp

      Filesize

      4.9MB

    • memory/4824-55-0x0000000000C80000-0x0000000000C90000-memory.dmp

      Filesize

      64KB

    • memory/4824-49-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4824-39-0x0000000000350000-0x000000000035A000-memory.dmp

      Filesize

      40KB

    • memory/4824-43-0x00007FF95A713000-0x00007FF95A715000-memory.dmp

      Filesize

      8KB

    • memory/4824-68-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4824-51-0x0000000000C80000-0x0000000000C90000-memory.dmp

      Filesize

      64KB