Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 00:38
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe
Resource
win7-20240708-en
General
-
Target
JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe
-
Size
802KB
-
MD5
f27bbd676025bd515c3202b94dff8ef6
-
SHA1
39949785532d90fd4ace3faf87ace6311b15ff22
-
SHA256
e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2bdea925c9bdb6aa1f43
-
SHA512
2472b5f44cb2ccb4b55e2b87427564db2e59147bf555e61fbab11ae2b50a751a7e32caf78e2c419693b91008b6361764063ca0e9c8df8e44f41f55682c6b4723
-
SSDEEP
24576:pAT8QE+kwrcszsNcf7fZhB0xxq+SxHKTcFX:pAI+3zsO7ffB0xr0qw
Malware Config
Extracted
redline
V4
3.17.66.208:50383
-
auth_value
7d7838681b4703ce5a8521eb0b68ca0c
Extracted
vidar
41.5
915
https://mas.to/@xeroxxx
-
profile_id
915
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023cbe-42.dat family_redline behavioral2/memory/3084-48-0x0000000000940000-0x0000000000960000-memory.dmp family_redline -
Redline family
-
Vidar family
-
Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/4284-54-0x0000000000DF0000-0x0000000000EC6000-memory.dmp family_vidar behavioral2/memory/4284-58-0x0000000000400000-0x00000000004D9000-memory.dmp family_vidar behavioral2/memory/4284-71-0x0000000000400000-0x00000000004D9000-memory.dmp family_vidar behavioral2/memory/4284-70-0x0000000000DF0000-0x0000000000EC6000-memory.dmp family_vidar behavioral2/memory/4284-69-0x0000000000400000-0x00000000008E3000-memory.dmp family_vidar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Faster.exe -
Executes dropped EXE 3 IoCs
pid Process 4824 Faster.exe 3084 Fast_.exe 4284 Fast.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\FastPc\FastPc\Fast_.exe JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe File opened for modification C:\Program Files (x86)\FastPc\FastPc\Faster.exe JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe File opened for modification C:\Program Files (x86)\FastPc\FastPc\Fast.exe JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4564 4284 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fast_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fast.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4572 cmd.exe 2832 PING.EXE 4524 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2832 PING.EXE 4524 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4824 Faster.exe 4824 Faster.exe 4824 Faster.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4824 Faster.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1624 wrote to memory of 4824 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 83 PID 1624 wrote to memory of 4824 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 83 PID 1624 wrote to memory of 3084 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 84 PID 1624 wrote to memory of 3084 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 84 PID 1624 wrote to memory of 3084 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 84 PID 1624 wrote to memory of 4284 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 85 PID 1624 wrote to memory of 4284 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 85 PID 1624 wrote to memory of 4284 1624 JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe 85 PID 4824 wrote to memory of 4572 4824 Faster.exe 90 PID 4824 wrote to memory of 4572 4824 Faster.exe 90 PID 4572 wrote to memory of 2832 4572 cmd.exe 92 PID 4572 wrote to memory of 2832 4572 cmd.exe 92 PID 4572 wrote to memory of 4524 4572 cmd.exe 95 PID 4572 wrote to memory of 4524 4572 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f27bbd676025bd515c3202b94dff8ef6.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Program Files (x86)\FastPc\FastPc\Faster.exe"C:\Program Files (x86)\FastPc\FastPc\Faster.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 1004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2832
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 9004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4524
-
-
-
-
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3084
-
-
C:\Program Files (x86)\FastPc\FastPc\Fast.exe"C:\Program Files (x86)\FastPc\FastPc\Fast.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 10403⤵
- Program crash
PID:4564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4284 -ip 42841⤵PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
716KB
MD537f9ed9d61e6463796aeeb8b72fe3b37
SHA10a70b57a1a674a881ca23405532848e31acfe770
SHA256a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c
SHA512979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1
-
Filesize
103KB
MD5bb7db2a053187c745dbafd790698bb40
SHA159c2abc023c9e7d6ffe37253cd6b3b041be694af
SHA256f3f66f68f10dd0291956577ad36fc5a3a1fb25114128fa61206b00e274315bf3
SHA512da6edcb05483571faecd00fd4aaab48a1e82a5bd91af2783044dea142f933dd0a929cd8c9f4e6f3e0dfcec6f47fa17db0ce42d0876c6b79525d412efe61f6c0c
-
Filesize
12KB
MD5f711d75ce1395b0508eb9e070c049ddc
SHA184d0d9ac0cbd18ee40bf8ea5677924199cc86682
SHA256e1df59a397c7669a857c4e796ba9461522ca40147654e7e66f0996e12b45158c
SHA512c83056b9484d2a066be74e2f1e8ecca8a49d165fb54736eb69bfde279023af20a506514ced2160d12ed9875d441313d0fadc710beebb3c739c69286e85deaa96