redline | a16ffac57803b1af0f18e383e80971722e65661601019a884ed3d2c7d3be8cc9

General

Target

9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe
Size

2.3MB
MD5

9428c2451bc098d6401dc094e2ae8e3f
SHA1

a2d7de9ba7516ed1386cb923db38d8dc3c3ccc1d
SHA256

a16ffac57803b1af0f18e383e80971722e65661601019a884ed3d2c7d3be8cc9
SHA512

de771b7fd8731af0ca29832f8f7f830f85ed15784658eeef0a67ee84362973423315551dadf847186dc96691eac355f10d99506185d7bfbe3dd700563a130cd8
SSDEEP

49152:sWMBHn8mewe80/X5SGPUTS4+HQrr3G8kwEArdOVs2ZDVvB67lCJFd:qTfeFSGPibjXeAcVDZBv87lkFd

Score

10^/10

redline sectoprat @piffik discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@Piffik

C2

185.183.32.195:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cb0-9.dat	family_redline
behavioral2/memory/4792-35-0x0000000000420000-0x0000000000442000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/244-4-0x000000001DDC0000-0x000000001DFDA000-memory.dmp	family_sectoprat
behavioral2/files/0x0008000000023cb0-9.dat	family_sectoprat
behavioral2/memory/4792-35-0x0000000000420000-0x0000000000442000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	BuildETH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeServiseDriver.exe

Executes dropped EXE 4 IoCs

pid	Process
4792	cryptbuild.exe
4680	BuildETH.exe
3092	RuntimeServiseDriver.exe
1356	sihost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptbuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3268	schtasks.exe
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4680	BuildETH.exe
3092	RuntimeServiseDriver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	BuildETH.exe
Token: SeDebugPrivilege	3092	RuntimeServiseDriver.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4792	244	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	82
PID 244 wrote to memory of 4792	244	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	82
PID 244 wrote to memory of 4792	244	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	82
PID 244 wrote to memory of 4680	244	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	84
PID 244 wrote to memory of 4680	244	9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe	84
PID 4680 wrote to memory of 2148	4680	BuildETH.exe	85
PID 4680 wrote to memory of 2148	4680	BuildETH.exe	85
PID 2148 wrote to memory of 3268	2148	cmd.exe	87
PID 2148 wrote to memory of 3268	2148	cmd.exe	87
PID 4680 wrote to memory of 3092	4680	BuildETH.exe	92
PID 4680 wrote to memory of 3092	4680	BuildETH.exe	92
PID 3092 wrote to memory of 1604	3092	RuntimeServiseDriver.exe	94
PID 3092 wrote to memory of 1604	3092	RuntimeServiseDriver.exe	94
PID 1604 wrote to memory of 2960	1604	cmd.exe	96
PID 1604 wrote to memory of 2960	1604	cmd.exe	96
PID 3092 wrote to memory of 1356	3092	RuntimeServiseDriver.exe	97
PID 3092 wrote to memory of 1356	3092	RuntimeServiseDriver.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9428c2451bc098d6401dc094e2ae8e3f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:244
- C:\ProgramData\cryptbuild.exe
  "C:\ProgramData\cryptbuild.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4792
- C:\ProgramData\BuildETH.exe
  "C:\ProgramData\BuildETH.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3268
- - C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "RuntimeServiseDriver" /tr '"C:\Users\Admin\AppData\Local\Temp\RuntimeServiseDriver.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
      4⤵
      Executes dropped EXE
      PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BuildETH.exe

Filesize
2.0MB

MD5
38aa8b375107f06eb29082630be6ac4c

SHA1
0850b438fc1e8b3b8464360cb7f0ecdb95160860

SHA256
074177ac9049870fec10c30d11afd9d9fd44829ecb08d298c8fccbe606b1fa94

SHA512
791b4d268b9a34b144379f44027fd5be3f87c0d87dc667348f862ffd0b2fb1fbcb03b6b618ac881ce118888aa748ef9bddc488bc3b547980cac01b6268188d7c

Download Submit
C:\ProgramData\cryptbuild.exe

Filesize
116KB

MD5
c4d92ed388bc01a402908d4df96380cd

SHA1
b0228af6c59f73ee49e9a2479be4210ee4f4f58f

SHA256
52ff370b4dbac609296975de229e3e42b60e5a1b820e9cc5fa9b5208936434bc

SHA512
5b8d487570808765b2c7c3494531046d4c979412ab13c7c65ba5f4a2e3902f2c290f5564a87c259866482af01068b822a43d122c396cd182984df583a0340172

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
11b6a3126772a27982b2075e2e5b3884

SHA1
15e234119c23362aec4897eb94fcfe9b9061ce61

SHA256
1e6cffaada09e3d52a94b4cab9e2b608271c4387a22c0fe66f7a73fcaf96d1ae

SHA512
94f571802466234c5577422fb4116a970b7b6ca8ab024551778e4542591d969f9075357adf62342c5d60722d492650cc9a50443113a3b605c863597ad60f7674

Download Submit
memory/244-0-0x00007FF814CB3000-0x00007FF814CB5000-memory.dmp

Filesize
8KB

Download
memory/244-1-0x0000000000DF0000-0x0000000001044000-memory.dmp

Filesize
2.3MB

Download
memory/244-2-0x000000001D360000-0x000000001D5BE000-memory.dmp

Filesize
2.4MB

Download
memory/244-3-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/244-4-0x000000001DDC0000-0x000000001DFDA000-memory.dmp

Filesize
2.1MB

Download
memory/244-29-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/1356-73-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/4680-42-0x000000001D2D0000-0x000000001D4C0000-memory.dmp

Filesize
1.9MB

Download
memory/4680-33-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/4680-30-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/4680-31-0x0000000000760000-0x000000000095C000-memory.dmp

Filesize
2.0MB

Download
memory/4680-59-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/4680-44-0x0000000003350000-0x0000000003362000-memory.dmp

Filesize
72KB

Download
memory/4680-43-0x000000001DCC0000-0x000000001DEAA000-memory.dmp

Filesize
1.9MB

Download
memory/4792-38-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/4792-40-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-41-0x0000000004D50000-0x0000000004D9C000-memory.dmp

Filesize
304KB

Download
memory/4792-39-0x0000000004D10000-0x0000000004D4C000-memory.dmp

Filesize
240KB

Download
memory/4792-34-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/4792-37-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/4792-36-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/4792-35-0x0000000000420000-0x0000000000442000-memory.dmp

Filesize
136KB

Download
memory/4792-75-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/4792-76-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads