Overview

overview

10

Static

static

3

7076117f0c...18.exe

windows7-x64

10

7076117f0c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118

  • Size

    18.6MB

  • Sample

    241023-x513tawdka

  • MD5

    7076117f0c6d84ffd59192a4b1e7208f

  • SHA1

    08b793fc796ea5ef45f5a0d3ca989d2a2852a279

  • SHA256

    621d9de231168a4edd7b0d2bfb27f24165a1996c7a540e51fa31317a506a6518

  • SHA512

    b4f30483d16a6a38afedb91bba320e051be8a0ea94ed0e23c33f4fe0828d0ff08d8a0663aea6b2c5945b9649605217722037d2d214c3167d99fc90310160ff9a

  • SSDEEP

    393216:bsPcjinkzVPjpLnWsDkCSDCe0nz5QVIGKXTpchSpMtm9LZ0+ecQwX:bgFn0DLnC0zuuGKjpch4++em

Score
10/10
redlinesectopratmaindiscoverydropperevasionexecutioninfostealerpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

redline

Botnet

Main

C2

146.0.75.231:65371

Targets

    • Target

      7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118

    • Size

      18.6MB

    • MD5

      7076117f0c6d84ffd59192a4b1e7208f

    • SHA1

      08b793fc796ea5ef45f5a0d3ca989d2a2852a279

    • SHA256

      621d9de231168a4edd7b0d2bfb27f24165a1996c7a540e51fa31317a506a6518

    • SHA512

      b4f30483d16a6a38afedb91bba320e051be8a0ea94ed0e23c33f4fe0828d0ff08d8a0663aea6b2c5945b9649605217722037d2d214c3167d99fc90310160ff9a

    • SSDEEP

      393216:bsPcjinkzVPjpLnWsDkCSDCe0nz5QVIGKXTpchSpMtm9LZ0+ecQwX:bgFn0DLnC0zuuGKjpch4++em

    Score
    10/10
    discoverydropperevasionexecutionpersistenceprivilege_escalationtrojanredlinesectopratmaininfostealerrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • UAC bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Download via BitsAdmin

      dropper

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

BITS Jobs

1
T1197

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

BITS Jobs

1
T1197

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks