General

  • Target

    d9da9815606e9c73a40b222019957b7c_JaffaCakes118

  • Size

    1.8MB

  • Sample

    240911-h287payckj

  • MD5

    d9da9815606e9c73a40b222019957b7c

  • SHA1

    c8fd3cdd6881ea1779401e1b03e2cfa56964269d

  • SHA256

    12bf0a12a243f7c09cac59b9f474a18b7f542d602a6bd310a24ef21ecf7b62ad

  • SHA512

    6a168bd6e94ced0b56a57768c1bc256bd18e169997c83f8e123a974ae34a93e4c66a645b5d0cb4aafb4f2db27a4cf7170e04fb1b9b790dc7a912a4266cb17c51

  • SSDEEP

    49152:7IkYcI/frjtiaxxS7yXmSWZBl+pvo34vb3E+:OB/jJiaxxSkit33c7

Malware Config

Extracted

Family

redline

Botnet

@kulunchick_bot

C2

193.32.164.63:3172

Targets

    • Target

      d9da9815606e9c73a40b222019957b7c_JaffaCakes118

    • Size

      1.8MB

    • MD5

      d9da9815606e9c73a40b222019957b7c

    • SHA1

      c8fd3cdd6881ea1779401e1b03e2cfa56964269d

    • SHA256

      12bf0a12a243f7c09cac59b9f474a18b7f542d602a6bd310a24ef21ecf7b62ad

    • SHA512

      6a168bd6e94ced0b56a57768c1bc256bd18e169997c83f8e123a974ae34a93e4c66a645b5d0cb4aafb4f2db27a4cf7170e04fb1b9b790dc7a912a4266cb17c51

    • SSDEEP

      49152:7IkYcI/frjtiaxxS7yXmSWZBl+pvo34vb3E+:OB/jJiaxxSkit33c7

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks