General

  • Target

    f5ade07e67a5a88cd01271d50f2a6ed4_JaffaCakes118

  • Size

    505KB

  • Sample

    240417-nqplssfa4z

  • MD5

    f5ade07e67a5a88cd01271d50f2a6ed4

  • SHA1

    15011c885d34a35c0b09ca852e3c9bcf8509a179

  • SHA256

    e855c5bb4634a61166fdd9b1b807998c5304cd52d0c064fcfdf0c501b0c70ac8

  • SHA512

    8fa01c8477c1091c376963584e1c4fd18a6978e5c4b66e33a432b4d7f542f952ebedcdb95a1b9ab60c8069ec14f90df7263921a5968911341c281a129032e2dd

  • SSDEEP

    12288:7hVk86CkQULOFuQaAc3DZMR6rh7OerzpW7HekhQIqfRPr:1hmBQ7c3dMR63P

Malware Config

Extracted

Family

redline

Botnet

@andomian

C2

45.132.104.217:12780

Targets

    • Target

      f5ade07e67a5a88cd01271d50f2a6ed4_JaffaCakes118

    • Size

      505KB

    • MD5

      f5ade07e67a5a88cd01271d50f2a6ed4

    • SHA1

      15011c885d34a35c0b09ca852e3c9bcf8509a179

    • SHA256

      e855c5bb4634a61166fdd9b1b807998c5304cd52d0c064fcfdf0c501b0c70ac8

    • SHA512

      8fa01c8477c1091c376963584e1c4fd18a6978e5c4b66e33a432b4d7f542f952ebedcdb95a1b9ab60c8069ec14f90df7263921a5968911341c281a129032e2dd

    • SSDEEP

      12288:7hVk86CkQULOFuQaAc3DZMR6rh7OerzpW7HekhQIqfRPr:1hmBQ7c3dMR63P

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks