redline | 2ed39be8a8fb7c8865ceefe8982287d1cd5d03871100865f549242460e08c449

Analysis

max time kernel
135s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Size

511KB
MD5

a9ffae175be0aec08fac2026601215e9
SHA1

409af83dbdb7ac2188732b72ef39e9dea2fed1ae
SHA256

2ed39be8a8fb7c8865ceefe8982287d1cd5d03871100865f549242460e08c449
SHA512

275c5189832cbdae5d286ea01b8c146b32fafcb6a19dc9a75819fae4f03671b2293022f90d0910ac633e0dc20332d2eb7120875d799b02afd24e6153eb75ccd6
SSDEEP

6144:SZw1WZEg3Zt17cVqSqOjgsVP/RG4vDuK8tFAnpLL/Y6afli96VT1cACTfgjdkAd:ScWaaAjBLG4buJgtY6LK1kfgjdkAd

Score

10^/10

redline sectoprat defense_evasion discovery evasion execution infostealer privilege_escalation rat trojan

Malware Config

Extracted

Family

redline

103.207.39.189:47019

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2756-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-34-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2756-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2756-28-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-23-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-34-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2756-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe = "0"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0008000000016c89-7.dat	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2772	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	AdvancedRun.exe
2832	AdvancedRun.exe

Loads dropped DLL 4 IoCs

pid	Process
2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
2800	AdvancedRun.exe
2800	AdvancedRun.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe = "0"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2800	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2800	AdvancedRun.exe
2800	AdvancedRun.exe
2832	AdvancedRun.exe
2832	AdvancedRun.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	AdvancedRun.exe
Token: SeImpersonatePrivilege	2800	AdvancedRun.exe
Token: SeDebugPrivilege	2832	AdvancedRun.exe
Token: SeImpersonatePrivilege	2832	AdvancedRun.exe
Token: SeDebugPrivilege	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2756	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2800	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2800	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2800	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2800	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	30
PID 2800 wrote to memory of 2832	2800	AdvancedRun.exe	31
PID 2800 wrote to memory of 2832	2800	AdvancedRun.exe	31
PID 2800 wrote to memory of 2832	2800	AdvancedRun.exe	31
PID 2800 wrote to memory of 2832	2800	AdvancedRun.exe	31
PID 2220 wrote to memory of 2772	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2772	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2772	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2772	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34
PID 2220 wrote to memory of 2756	2220	a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\b4871f6c-83e7-4267-8de2-8256377fea1a\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\b4871f6c-83e7-4267-8de2-8256377fea1a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b4871f6c-83e7-4267-8de2-8256377fea1a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\b4871f6c-83e7-4267-8de2-8256377fea1a\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\b4871f6c-83e7-4267-8de2-8256377fea1a\AdvancedRun.exe" /SpecialRun 4101d8 2800
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a9ffae175be0aec08fac2026601215e9_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\b4871f6c-83e7-4267-8de2-8256377fea1a\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/2220-0-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x0000000000ED0000-0x0000000000F52000-memory.dmp

Filesize
520KB

Download
memory/2220-2-0x00000000005D0000-0x000000000063A000-memory.dmp

Filesize
424KB

Download
memory/2220-3-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-29-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download