redline | 586465bf2feff2badcc4abc5e37c030cf8476b836c88803095ee6f53c6e35857

General

Target

3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
Size

416KB
MD5

3d94c97113665616bb2ff09440a5bc27
SHA1

5af98e2f9e6183427893987961e049362a57c702
SHA256

586465bf2feff2badcc4abc5e37c030cf8476b836c88803095ee6f53c6e35857
SHA512

5fa61c6fe9a622fc3553af05fd0e5d9600c05dd850f61cd756a79bcfc8e14812a2302387f966cefd651fae94080339c4d7f85184106af9253bb9828fee76a12c
SSDEEP

12288:tttEi0F8ltcKn2HMAS9iLW851+9dN7KOY8N9Oe+9lauWfx7sN8zkdI4+qWcpORzw:R0GZ2Ha9P8K9d9Kbn9

Score

10^/10

redline sectoprat @lockfay infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@lockfay

C2

194.15.46.144:36848

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3904-51-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3904-51-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

description	pid	process	target process
PID 876 set thread context of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

pid	process
1916	powershell.exe
1916	powershell.exe
1660	powershell.exe
1660	powershell.exe
876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	1916	powershell.exe
Token: SeSecurityPrivilege	1916	powershell.exe
Token: SeTakeOwnershipPrivilege	1916	powershell.exe
Token: SeLoadDriverPrivilege	1916	powershell.exe
Token: SeSystemProfilePrivilege	1916	powershell.exe
Token: SeSystemtimePrivilege	1916	powershell.exe
Token: SeProfSingleProcessPrivilege	1916	powershell.exe
Token: SeIncBasePriorityPrivilege	1916	powershell.exe
Token: SeCreatePagefilePrivilege	1916	powershell.exe
Token: SeBackupPrivilege	1916	powershell.exe
Token: SeRestorePrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeSystemEnvironmentPrivilege	1916	powershell.exe
Token: SeRemoteShutdownPrivilege	1916	powershell.exe
Token: SeUndockPrivilege	1916	powershell.exe
Token: SeManageVolumePrivilege	1916	powershell.exe
Token: 33	1916	powershell.exe
Token: 34	1916	powershell.exe
Token: 35	1916	powershell.exe
Token: 36	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	1916	powershell.exe
Token: SeSecurityPrivilege	1916	powershell.exe
Token: SeTakeOwnershipPrivilege	1916	powershell.exe
Token: SeLoadDriverPrivilege	1916	powershell.exe
Token: SeSystemProfilePrivilege	1916	powershell.exe
Token: SeSystemtimePrivilege	1916	powershell.exe
Token: SeProfSingleProcessPrivilege	1916	powershell.exe
Token: SeIncBasePriorityPrivilege	1916	powershell.exe
Token: SeCreatePagefilePrivilege	1916	powershell.exe
Token: SeBackupPrivilege	1916	powershell.exe
Token: SeRestorePrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeSystemEnvironmentPrivilege	1916	powershell.exe
Token: SeRemoteShutdownPrivilege	1916	powershell.exe
Token: SeUndockPrivilege	1916	powershell.exe
Token: SeManageVolumePrivilege	1916	powershell.exe
Token: 33	1916	powershell.exe
Token: 34	1916	powershell.exe
Token: 35	1916	powershell.exe
Token: 36	1916	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1660	powershell.exe
Token: SeSecurityPrivilege	1660	powershell.exe
Token: SeTakeOwnershipPrivilege	1660	powershell.exe
Token: SeLoadDriverPrivilege	1660	powershell.exe
Token: SeSystemProfilePrivilege	1660	powershell.exe
Token: SeSystemtimePrivilege	1660	powershell.exe
Token: SeProfSingleProcessPrivilege	1660	powershell.exe
Token: SeIncBasePriorityPrivilege	1660	powershell.exe
Token: SeCreatePagefilePrivilege	1660	powershell.exe
Token: SeBackupPrivilege	1660	powershell.exe
Token: SeRestorePrivilege	1660	powershell.exe
Token: SeShutdownPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeSystemEnvironmentPrivilege	1660	powershell.exe
Token: SeRemoteShutdownPrivilege	1660	powershell.exe
Token: SeUndockPrivilege	1660	powershell.exe
Token: SeManageVolumePrivilege	1660	powershell.exe
Token: 33	1660	powershell.exe
Token: 34	1660	powershell.exe
Token: 35	1660	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

description	pid	process	target process
PID 876 wrote to memory of 1916	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	powershell.exe
PID 876 wrote to memory of 1916	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	powershell.exe
PID 876 wrote to memory of 1916	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	powershell.exe
PID 876 wrote to memory of 1660	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	powershell.exe
PID 876 wrote to memory of 1660	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	powershell.exe
PID 876 wrote to memory of 1660	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	powershell.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
PID 876 wrote to memory of 3904	876	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe	3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe
2⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3d94c97113665616bb2ff09440a5bc27_JaffaCakes118.exe.log

Filesize
514B

MD5
daf9fe3dcbbcb5b561d9f0353b55f9d4

SHA1
a13e3d6ebbed85e669c83bb501c155a494c549f0

SHA256
07f91247f55298b9e1ceb697f4372d5527469846874d70cff32cf469477fd5d5

SHA512
5ea0df54ff91f5957c1eaed129a5dec9c9ae82a14b1f8c7fcb71df5233da533c9860fb1d6d73dff05402c1cba0a29e763d0434cf0b92a8c234b0719418882eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
5191e606c31d697659be68873ac5aad8

SHA1
4e36a9f99b9d205e67510226a47599715d3e1f71

SHA256
5fdaf9684de4c54941fb2b1e8ee12565fb8d582b20167edb3c5f44e2a6e42bed

SHA512
392fff925d2e2372adcc8f09389466749328bad4f0c1101f93af20132235e39f5e5486989f8805745301e3451ac4b5432298d859a20988ca6a07909ff4b71442

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aibtk3qu.bqt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/876-54-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/876-52-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/876-50-0x0000000004DF0000-0x0000000004E0C000-memory.dmp

Filesize
112KB

Download
memory/876-49-0x0000000002690000-0x00000000026CA000-memory.dmp

Filesize
232KB

Download
memory/876-46-0x000000007529E000-0x000000007529F000-memory.dmp

Filesize
4KB

Download
memory/876-0-0x000000007529E000-0x000000007529F000-memory.dmp

Filesize
4KB

Download
memory/876-2-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/876-1-0x0000000000290000-0x00000000002FE000-memory.dmp

Filesize
440KB

Download
memory/1660-48-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/1660-35-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/1660-34-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/1660-33-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/1660-32-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/1916-10-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/1916-8-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/1916-27-0x00000000088B0000-0x0000000008F2A000-memory.dmp

Filesize
6.5MB

Download
memory/1916-30-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/1916-25-0x0000000007600000-0x0000000007622000-memory.dmp

Filesize
136KB

Download
memory/1916-24-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/1916-23-0x0000000006B90000-0x0000000006C26000-memory.dmp

Filesize
600KB

Download
memory/1916-22-0x0000000006670000-0x00000000066BC000-memory.dmp

Filesize
304KB

Download
memory/1916-21-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/1916-20-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/1916-9-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/1916-26-0x0000000007C80000-0x0000000008224000-memory.dmp

Filesize
5.6MB

Download
memory/1916-4-0x0000000005820000-0x0000000005E48000-memory.dmp

Filesize
6.2MB

Download
memory/1916-7-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/1916-3-0x0000000002D40000-0x0000000002D76000-memory.dmp

Filesize
216KB

Download
memory/1916-5-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/1916-6-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3904-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3904-56-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/3904-57-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/3904-58-0x0000000005440000-0x000000000554A000-memory.dmp

Filesize
1.0MB

Download
memory/3904-59-0x0000000005370000-0x00000000053AC000-memory.dmp

Filesize
240KB

Download
memory/3904-60-0x00000000053B0000-0x00000000053FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads