redline | a16ffac57803b1af0f18e383e80971722e65661601019a884ed3d2c7d3be8cc9

General

Target

9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe
Size

2.3MB
MD5

9428c2451bc098d6401dc094e2ae8e3f
SHA1

a2d7de9ba7516ed1386cb923db38d8dc3c3ccc1d
SHA256

a16ffac57803b1af0f18e383e80971722e65661601019a884ed3d2c7d3be8cc9
SHA512

de771b7fd8731af0ca29832f8f7f830f85ed15784658eeef0a67ee84362973423315551dadf847186dc96691eac355f10d99506185d7bfbe3dd700563a130cd8
SSDEEP

49152:sWMBHn8mewe80/X5SGPUTS4+HQrr3G8kwEArdOVs2ZDVvB67lCJFd:qTfeFSGPibjXeAcVDZBv87lkFd

Score

10^/10

redline sectoprat @piffik discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@Piffik

C2

185.183.32.195:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00080000000120f9-9.dat	family_redline
behavioral1/memory/2104-20-0x00000000008D0000-0x00000000008F2000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1620-4-0x000000001ABB0000-0x000000001ADCA000-memory.dmp	family_sectoprat
behavioral1/files/0x00080000000120f9-9.dat	family_sectoprat
behavioral1/memory/2104-20-0x00000000008D0000-0x00000000008F2000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 4 IoCs

Processes:

cryptbuild.exeBuildETH.exeRuntimeServiseDriver.exesihost32.exe

pid	Process
2104	cryptbuild.exe
2548	BuildETH.exe
1320	RuntimeServiseDriver.exe
568	sihost32.exe

Loads dropped DLL 3 IoCs

Processes:

9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exeBuildETH.exeRuntimeServiseDriver.exe

pid	Process
1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe
2548	BuildETH.exe
1320	RuntimeServiseDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cryptbuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptbuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2916	schtasks.exe
688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BuildETH.exeRuntimeServiseDriver.exe

pid	Process
2548	BuildETH.exe
1320	RuntimeServiseDriver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BuildETH.exeRuntimeServiseDriver.exe

description	pid	Process
Token: SeDebugPrivilege	2548	BuildETH.exe
Token: SeDebugPrivilege	1320	RuntimeServiseDriver.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exeBuildETH.execmd.exeRuntimeServiseDriver.execmd.exe

description	pid	Process	procid_target
PID 1620 wrote to memory of 2104	1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2104	1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2104	1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2104	1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2548	1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2548	1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2548	1620	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	32
PID 2548 wrote to memory of 2724	2548	BuildETH.exe	34
PID 2548 wrote to memory of 2724	2548	BuildETH.exe	34
PID 2548 wrote to memory of 2724	2548	BuildETH.exe	34
PID 2724 wrote to memory of 2916	2724	cmd.exe	36
PID 2724 wrote to memory of 2916	2724	cmd.exe	36
PID 2724 wrote to memory of 2916	2724	cmd.exe	36
PID 2548 wrote to memory of 1320	2548	BuildETH.exe	37
PID 2548 wrote to memory of 1320	2548	BuildETH.exe	37
PID 2548 wrote to memory of 1320	2548	BuildETH.exe	37
PID 1320 wrote to memory of 1720	1320	RuntimeServiseDriver.exe	38
PID 1320 wrote to memory of 1720	1320	RuntimeServiseDriver.exe	38
PID 1320 wrote to memory of 1720	1320	RuntimeServiseDriver.exe	38
PID 1320 wrote to memory of 568	1320	RuntimeServiseDriver.exe	40
PID 1320 wrote to memory of 568	1320	RuntimeServiseDriver.exe	40
PID 1320 wrote to memory of 568	1320	RuntimeServiseDriver.exe	40
PID 1720 wrote to memory of 688	1720	cmd.exe	41
PID 1720 wrote to memory of 688	1720	cmd.exe	41
PID 1720 wrote to memory of 688	1720	cmd.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620
- C:\ProgramData\cryptbuild.exe
  "C:\ProgramData\cryptbuild.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\ProgramData\BuildETH.exe
  "C:\ProgramData\BuildETH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
      4⤵
      Executes dropped EXE
      PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cryptbuild.exe

Filesize
116KB

MD5
c4d92ed388bc01a402908d4df96380cd

SHA1
b0228af6c59f73ee49e9a2479be4210ee4f4f58f

SHA256
52ff370b4dbac609296975de229e3e42b60e5a1b820e9cc5fa9b5208936434bc

SHA512
5b8d487570808765b2c7c3494531046d4c979412ab13c7c65ba5f4a2e3902f2c290f5564a87c259866482af01068b822a43d122c396cd182984df583a0340172

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
11b6a3126772a27982b2075e2e5b3884

SHA1
15e234119c23362aec4897eb94fcfe9b9061ce61

SHA256
1e6cffaada09e3d52a94b4cab9e2b608271c4387a22c0fe66f7a73fcaf96d1ae

SHA512
94f571802466234c5577422fb4116a970b7b6ca8ab024551778e4542591d969f9075357adf62342c5d60722d492650cc9a50443113a3b605c863597ad60f7674

Download Submit
\ProgramData\BuildETH.exe

Filesize
2.0MB

MD5
38aa8b375107f06eb29082630be6ac4c

SHA1
0850b438fc1e8b3b8464360cb7f0ecdb95160860

SHA256
074177ac9049870fec10c30d11afd9d9fd44829ecb08d298c8fccbe606b1fa94

SHA512
791b4d268b9a34b144379f44027fd5be3f87c0d87dc667348f862ffd0b2fb1fbcb03b6b618ac881ce118888aa748ef9bddc488bc3b547980cac01b6268188d7c

Download Submit
memory/568-37-0x000000013F9A0000-0x000000013F9A6000-memory.dmp

Filesize
24KB

Download
memory/1320-29-0x000000013FC00000-0x000000013FDFC000-memory.dmp

Filesize
2.0MB

Download
memory/1620-1-0x000000013F8B0000-0x000000013FB04000-memory.dmp

Filesize
2.3MB

Download
memory/1620-2-0x000000001C670000-0x000000001C8CE000-memory.dmp

Filesize
2.4MB

Download
memory/1620-3-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-4-0x000000001ABB0000-0x000000001ADCA000-memory.dmp

Filesize
2.1MB

Download
memory/1620-17-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/2104-20-0x00000000008D0000-0x00000000008F2000-memory.dmp

Filesize
136KB

Download
memory/2548-18-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-22-0x000000001DA10000-0x000000001DBFA000-memory.dmp

Filesize
1.9MB

Download
memory/2548-30-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-21-0x000000001CC90000-0x000000001CE80000-memory.dmp

Filesize
1.9MB

Download
memory/2548-19-0x000000013F3B0000-0x000000013F5AC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads