Extracted

• • Target

    3fc9c1a56f30cf18e75f458ba4470cee_JaffaCakes118

  • Size

    471KB

  • MD5

    3fc9c1a56f30cf18e75f458ba4470cee

  • SHA1

    4f79fa2f37e7c795a25b753df8c53b6d4cc46d28

  • SHA256

    a455ea749bf2aa78f43ca6beb1fec983ca39b71e23ab8a951c6b3c0a23ae6b7c

  • SHA512

    b3149d9a303c0260e0b1452d20c196bb94d8c7f3a44d6a4ed9870b015e61b33b45eada50646fc2c40784a15c0349dbd1475ac69a38160cb085a0a9c3aa0bc807

  • SSDEEP

    6144:xYa0TXGrWVqIUgpXSRER+JTKasRLwnSmU2h0:xsX6KqpMXSER+JTHsRLwnSmUv

  Score

  10^/10

  redlinesectopratlamborghinidefense_evasiondiscoveryevasionexecutioninfostealerprivilege_escalationrattrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Turns off Windows Defender SpyNet reporting

    evasion

  • Windows security bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral1behavioral2