Extracted

• • Target

    a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118

  • Size

    1.0MB

  • MD5

    a2662fb73bd4f01311cb33f20b72baca

  • SHA1

    df62e36435f56799154bfcc1962a3e0a36769eec

  • SHA256

    054ce7a68c5ef3e99d04df90781e6e084517e9499f62afef7f423d4d331e155d

  • SHA512

    de09c6023a185525e29c0f3f19d00aa6c38b386cf3262827d245cac0d92f70f79f87d1d9c5c053fd490766a67feefdc33a0a474453624d535677a69ae421c357

  • SSDEEP

    24576:XL2oFugO/TMRpV5n08Xcvpr+NOwZi3uv+:X6oJ1Rtn0Ll+Jyu2

  Score

  10^/10

  redlinesectoprat@fx0321discoveryexecutioninfostealerpersistencerattrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    $APPDATA/RuntimeBroker.exe

  • Size

    58KB

  • MD5

    411e7ed61ef7002096f3e3d2ce519734

  • SHA1

    fdf8d29b4b310974477539fc35c3b3d327963c6c

  • SHA256

    822c45c64e7c5e5781cc07933042ed274b13083ab32125efcd8d68cb33a899bc

  • SHA512

    7500c26d1a3e6c3e318c48799c4adb35dfb8940daef7950a451fe78c6433cec057d4fdf4cc024e6e172568253056b869dec058f9b2d3c21e0a8c25001887bfe2

  • SSDEEP

    768:nyVi4c//HcAtm3sMMX+KYlZT7IVHrzvR+g2ikZTn2vwE+WPkeicvKmfg7UbcKjb/:nDb8QD+KYlZToV+Yk/cimfu6cK37L

  Score

  6^/10

  persistence

  • Adds Run key to start application

    persistence
  behavioral3behavioral4

• • Target

    $TEMP/KeyActivate.exe

  • Size

    569KB

  • MD5

    9bb06ab42d4883d1315641b62dd65e58

  • SHA1

    e58876178a5cfc69c62c6f72c06c6f34b3e4b821

  • SHA256

    d1347ceaeb056a0ba1ceb2a674864c2b6123c5ec516d1de0d6f1b17653638474

  • SHA512

    1ca41b28fa675c6b7f8efc9d5fa9e515324985e7715f0bca33c5e75ccf85845096cbc44688a0a7f6b1c73a807031ffe1814873b51559d56e9f608525250870c8

  • SSDEEP

    6144:KtkWYHHmXrDcmnBQmt3xRdyaAqbvdPeaNx9MuxY+NdxCM2o:Kksrfe2vdTdPeoxeu1L2o

  Score

  8^/10

  execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral5behavioral6

• • Target

    $TEMP/launcher.exe

  • Size

    416KB

  • MD5

    3f4ced9fb30a8c31f129d5e717141171

  • SHA1

    2e6cdc927bc9e17e8c3e3985e6dc783d2f359e55

  • SHA256

    507640330eb0d338c68d640ed4c4a4fe0a87a6293bf57afa74cfbaea20dd019c

  • SHA512

    01374beb7508b7ee962fdb4764cfce2a3b5902ebb92993f0359ede0363de905eea72c30ab1d80cc9e0f0771c8c95e5b3faa189703d948a2d87386eb9c0df0faf

  • SSDEEP

    6144:PBpK6MVQSu3K1uKvpWN5jK0yijz4c4JSupenGWg2D1Zi3uIfik/NglFh:PBpKv6K0KvpWPK5i4cg+4OZi3uDkYF

  Score

  10^/10

  redlinesectoprat@fx0321discoveryinfostealerrattrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Suspicious use of SetThreadContext

  behavioral7behavioral8