General

  • Target

    e4086df34bc50103a13d197e915e578d_JaffaCakes118

  • Size

    643KB

  • Sample

    240407-evy7cscg7t

  • MD5

    e4086df34bc50103a13d197e915e578d

  • SHA1

    67841d84f49029cc773a3d90d612a238e0ccb7a5

  • SHA256

    97ecdd9bfe96bbc323ee0526c18949371e38b373d0f71104277f684af338c663

  • SHA512

    a62d22577691dc452e96cdbddff18451b4970f1c2d9fc1c73286ef3d844daec3e6de6ec7a6c7c2918a401323ab91c3d4248123dfffdc1eb0cf6dcf6685d76180

  • SSDEEP

    12288:MrRWtp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvX7ZwUdLyc:FqdLgM7itajszgBnR7/LJXdJ+nlA7

Malware Config

Extracted

Family

redline

Botnet

@Cheburek212

C2

185.80.234.77:17105

Targets

    • Target

      e4086df34bc50103a13d197e915e578d_JaffaCakes118

    • Size

      643KB

    • MD5

      e4086df34bc50103a13d197e915e578d

    • SHA1

      67841d84f49029cc773a3d90d612a238e0ccb7a5

    • SHA256

      97ecdd9bfe96bbc323ee0526c18949371e38b373d0f71104277f684af338c663

    • SHA512

      a62d22577691dc452e96cdbddff18451b4970f1c2d9fc1c73286ef3d844daec3e6de6ec7a6c7c2918a401323ab91c3d4248123dfffdc1eb0cf6dcf6685d76180

    • SSDEEP

      12288:MrRWtp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvX7ZwUdLyc:FqdLgM7itajszgBnR7/LJXdJ+nlA7

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks