Overview

overview

10

Static

static

3

JaffaCakes...33.exe

windows7-x64

10

JaffaCakes...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_f32f0973ac645d486efd6b0d2ba41233.exe

  • Size

    816KB

  • MD5

    f32f0973ac645d486efd6b0d2ba41233

  • SHA1

    88c21dc32e3e3e0f7a180c73a67da1d33a607d7e

  • SHA256

    6de8ec31f54283d326c41d633361a19f8635d269f4cf24560b8a994657f6cb89

  • SHA512

    b59e81288f92e3d5114ebda96f93afb41ac286bab07736ecc3e2ba28de2979188b7014066a574e683c6fb66272bb79ec9f206a9123817793ecb62f6581507a22

  • SSDEEP

    24576:EDWHSb4NFK9999dddddddzDdrK9999dddddddzDd/Qwb12RE85eY63ke1Fdil1rG:f84NbELEY63D1Cl1rDteSgiSV

Score
10/10
redline@lzt2021discoveryinfostealer

Malware Config

Extracted

Family

redline

Botnet

@LZT2021

C2

95.181.152.6:46927

Attributes
  • auth_value

    cdf3919a262c0d6ba99116b375d7551c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f32f0973ac645d486efd6b0d2ba41233.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f32f0973ac645d486efd6b0d2ba41233.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DQsnWZmCovBK.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DQsnWZmCovBK.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\RarSFX0\DQsnWZmCovBK.exe
    Filesize

    896KB

    MD5

    d2b3f68ba570b6b73ad4e89191dbf17f

    SHA1

    b8bf6c5da4a7d9a30635baf0b06644943541a628

    SHA256

    13c7456acd26c27a0ecb0eda235ccd57b746e516c64377cc4e542c5a2a55895b

    SHA512

    b544b04b7f58c166cc6093004a4c501eaab4f44cd6cb22aef783913c5479a0439526fd9ccd87ed73d89b4414120a12d39aa793340d174414d6a203453548d27d

    Download Submit

  • memory/2332-15-0x0000000000360000-0x000000000038E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2332-22-0x0000000000360000-0x000000000038E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2332-23-0x000000007390E000-0x000000007390F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2332-24-0x0000000001FE0000-0x0000000001FFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2332-25-0x0000000073900000-0x0000000073FEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2332-26-0x0000000073900000-0x0000000073FEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2332-27-0x0000000000360000-0x000000000038E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2332-28-0x000000007390E000-0x000000007390F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2332-29-0x0000000073900000-0x0000000073FEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2332-30-0x0000000000550000-0x0000000000636000-memory.dmp

    Filesize

    920KB

    Download