redline | 7d0a1169c881231d6a438eb1df2a653aa1b003ff5c0c57a2766353f82a6ab49a

General

Target

a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe
Size

1.1MB
MD5

a8e15354ee16aae5eec64d0f2eac296d
SHA1

e5a60bf87dd9aa2317abb6658dc470d9d85aad72
SHA256

7d0a1169c881231d6a438eb1df2a653aa1b003ff5c0c57a2766353f82a6ab49a
SHA512

7bca26ff62492b6846016e267595c4486259a48eb2737902719b02f866bf562191ed50453a5bc01b04d98e2bf64e07aff22945c5cac08d615a027e2f4ff1e97a
SSDEEP

12288:FN40/S6FSwe5zzkXKWzpdOxtz5+tIZ14dufNyZLoY18p+Jh6KRLIrRuT7iXV4+Tx:iGji

Score

10^/10

redline sectoprat rich discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

rich

C2

95.217.248.44:11695

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4268-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4268-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe
Token: SeDebugPrivilege	4268	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89
PID 1844 wrote to memory of 4268	1844	a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a8e15354ee16aae5eec64d0f2eac296d_JaffaCakes118.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
memory/1844-5-0x0000000004C10000-0x0000000004C1A000-memory.dmp

Filesize
40KB

Download
memory/1844-13-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-1-0x0000000000120000-0x000000000023A000-memory.dmp

Filesize
1.1MB

Download
memory/1844-4-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1844-6-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1844-7-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-8-0x0000000004E50000-0x0000000004E76000-memory.dmp

Filesize
152KB

Download
memory/1844-3-0x0000000004C50000-0x0000000004CE2000-memory.dmp

Filesize
584KB

Download
memory/1844-2-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/4268-20-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4268-12-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4268-14-0x0000000006170000-0x0000000006788000-memory.dmp

Filesize
6.1MB

Download
memory/4268-15-0x00000000051E0000-0x00000000051F2000-memory.dmp

Filesize
72KB

Download
memory/4268-16-0x0000000005B90000-0x0000000005BCC000-memory.dmp

Filesize
240KB

Download
memory/4268-17-0x0000000005D40000-0x0000000005D8C000-memory.dmp

Filesize
304KB

Download
memory/4268-18-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4268-19-0x0000000007B00000-0x0000000007C0A000-memory.dmp

Filesize
1.0MB

Download
memory/4268-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing