redline | 49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921

General

Target

a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe
Size

1.0MB
MD5

a08fedd1af1461cd057783b833b75c1a
SHA1

0422a45292fde8398a5a3f3f1a228b2d882075b5
SHA256

49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921
SHA512

07cc0e7ec0eeab10fcb3fa2e58231c366c0a999bfb2df0968253d5461e155d603a8224cb37e9a0dfc0a1e75c24a4cb86d25d0a06efdf23514744f6f9c511efdd
SSDEEP

24576:qSLX3jL0oSml1h4rZwFamT0Mr+GoJDgsKFlb9z9:REoNsIamT0bGcgvxx

Score

10^/10

redline sectoprat tony1008 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

tony1008

C2

193.188.22.4:45689

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/512-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/512-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pHWBEogcsR.url	Sapete.exe.com

Executes dropped EXE 3 IoCs

pid	Process
4240	Sapete.exe.com
2232	Sapete.exe.com
512	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 512	2232	Sapete.exe.com	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sapete.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sapete.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4596	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4596	PING.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2232	Sapete.exe.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4240	Sapete.exe.com
4240	Sapete.exe.com
4240	Sapete.exe.com
2232	Sapete.exe.com
2232	Sapete.exe.com
2232	Sapete.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4240	Sapete.exe.com
4240	Sapete.exe.com
4240	Sapete.exe.com
2232	Sapete.exe.com
2232	Sapete.exe.com
2232	Sapete.exe.com

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 916	1648	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	82
PID 1648 wrote to memory of 916	1648	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	82
PID 1648 wrote to memory of 916	1648	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	82
PID 1648 wrote to memory of 2544	1648	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	83
PID 1648 wrote to memory of 2544	1648	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	83
PID 1648 wrote to memory of 2544	1648	a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe	83
PID 2544 wrote to memory of 2220	2544	cmd.exe	85
PID 2544 wrote to memory of 2220	2544	cmd.exe	85
PID 2544 wrote to memory of 2220	2544	cmd.exe	85
PID 2220 wrote to memory of 2168	2220	cmd.exe	86
PID 2220 wrote to memory of 2168	2220	cmd.exe	86
PID 2220 wrote to memory of 2168	2220	cmd.exe	86
PID 2220 wrote to memory of 4240	2220	cmd.exe	87
PID 2220 wrote to memory of 4240	2220	cmd.exe	87
PID 2220 wrote to memory of 4240	2220	cmd.exe	87
PID 2220 wrote to memory of 4596	2220	cmd.exe	88
PID 2220 wrote to memory of 4596	2220	cmd.exe	88
PID 2220 wrote to memory of 4596	2220	cmd.exe	88
PID 4240 wrote to memory of 2232	4240	Sapete.exe.com	89
PID 4240 wrote to memory of 2232	4240	Sapete.exe.com	89
PID 4240 wrote to memory of 2232	4240	Sapete.exe.com	89
PID 2232 wrote to memory of 512	2232	Sapete.exe.com	97
PID 2232 wrote to memory of 512	2232	Sapete.exe.com	97
PID 2232 wrote to memory of 512	2232	Sapete.exe.com	97
PID 2232 wrote to memory of 512	2232	Sapete.exe.com	97

C:\Users\Admin\AppData\Local\Temp\a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a08fedd1af1461cd057783b833b75c1a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Ogni.cab
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^kFkkCweteokIGxUGjOtmnesFfoGwECEIbjuYaFuyaLppmuaDjBQwmHGogFWzxwmADClxhWhHHYuNSiuoQrPrLC$" Mette.cab
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
      Sapete.exe.com L
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Amo.cab

Filesize
932KB

MD5
42b8dfcab48c591aa8038a87be160269

SHA1
e458c1f76385ac9429bc108b20212c386f36a6d9

SHA256
7c1594b00cc334b037f1659bbe8862da2c14d8bd21ed88ec47754152d034eb0c

SHA512
72e38458d38f4607c7e9820f84646d9aae151e951e2df7c9ed05a03c0c04d5f6974e981af081269a49378b1d44a6a036ee6f2ce35474ef0f700afb848816714c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Carne.cab

Filesize
100KB

MD5
0c427e6f16dc32614a39500f504cb381

SHA1
d55fe1964be896f2d8ca7a99d05474e5c4b53646

SHA256
12b0e9178895ce07ca693db69f66e02c2b82fdc226c1b26875858914ab8e63c5

SHA512
9eef44536f6675292fbf5d8edddbf2b66729340972275cc3a407917fb1992e69224aa66055fd3d4117678385a6626206ba73f57b28264ea67bee01ffd8f30d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mette.cab

Filesize
872KB

MD5
023ac056066caccddddf89f9f2d82f75

SHA1
bb84162b4c7faca2191e7337564ab6bb77c15c86

SHA256
d1b196714edee779c2b81c5c5ba32ca0ddbd4818d17df7ad00967eadcc8b8bbe

SHA512
2ab0af4d14b1b5191925b86108dcbc636cdf5e9b4379d2b56afe0836d1de70d1473cce8a7faa8857863ec93945afaf33eaffa196d02a728859e9084265127114

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ogni.cab

Filesize
528B

MD5
f942cd7ee1aa109106ad0de627cd56a9

SHA1
46ab21a3270770b9510f594fc33ff7628a17540c

SHA256
dd08a926408b1e7d0687f45fe57dcdb0d5e6d04e25a8c4de383ee2b2b69da009

SHA512
ce02b2f215334ce7c1ffe32899b9d614c0b31004af053dcf0aea484cd377d816f09f37c1e9a3cfb45a8ac99939011adbc2c81d2b6bd68cdf98067b208c74d68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/512-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/512-32-0x0000000004E40000-0x0000000005458000-memory.dmp

Filesize
6.1MB

Download
memory/512-33-0x00000000048C0000-0x00000000048D2000-memory.dmp

Filesize
72KB

Download
memory/512-34-0x0000000004920000-0x000000000495C000-memory.dmp

Filesize
240KB

Download
memory/512-35-0x00000000049B0000-0x00000000049FC000-memory.dmp

Filesize
304KB

Download
memory/512-36-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing