redline | 37f2d96a016ee990d7e9eb60096de7d949fd69bb53f8ea62aeae2f7026610198

Analysis

max time kernel
133s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe
Size

2.3MB
MD5

bc43542f005e7e181e5efcb2ce047654
SHA1

f6ebceddc551667f82e81c8df64efad4bfe9d367
SHA256

37f2d96a016ee990d7e9eb60096de7d949fd69bb53f8ea62aeae2f7026610198
SHA512

6e18e6f8c749f163a6cbb1b60daef86e9c08da4138b6cd769ea65cfa385801a848bb950a13848602df75c59c3eaf959e50ef6011cfc8dfc3fe2d86ec74f5be70
SSDEEP

49152:H5+hFobqb3KQPiCRFpIfp/au9InDnUQtP+0n/hbxiz8lVHTIioOFZQ+A:H5aFog6cDRPIhajnD5PppbxiqZ7A

Score

10^/10

redline sectoprat @janhidf discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@janhidf

45.14.12.90:52072

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4e0-75.dat	family_redline
behavioral1/memory/2444-78-0x0000000000380000-0x000000000039E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4e0-75.dat	family_sectoprat
behavioral1/memory/2444-78-0x0000000000380000-0x000000000039E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 9 IoCs

pid	Process
2844	7z.exe
408	7z.exe
2868	7z.exe
2856	7z.exe
2704	7z.exe
1732	7z.exe
2260	7z.exe
2192	7z.exe
2444	janhidf.exe

Loads dropped DLL 16 IoCs

pid	Process
2884	cmd.exe
2844	7z.exe
2884	cmd.exe
408	7z.exe
2884	cmd.exe
2868	7z.exe
2884	cmd.exe
2856	7z.exe
2884	cmd.exe
2704	7z.exe
2884	cmd.exe
1732	7z.exe
2884	cmd.exe
2260	7z.exe
2884	cmd.exe
2192	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	janhidf.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2444	janhidf.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	2844	7z.exe
Token: 35	2844	7z.exe
Token: SeSecurityPrivilege	2844	7z.exe
Token: SeSecurityPrivilege	2844	7z.exe
Token: SeRestorePrivilege	408	7z.exe
Token: 35	408	7z.exe
Token: SeSecurityPrivilege	408	7z.exe
Token: SeSecurityPrivilege	408	7z.exe
Token: SeRestorePrivilege	2868	7z.exe
Token: 35	2868	7z.exe
Token: SeSecurityPrivilege	2868	7z.exe
Token: SeSecurityPrivilege	2868	7z.exe
Token: SeRestorePrivilege	2856	7z.exe
Token: 35	2856	7z.exe
Token: SeSecurityPrivilege	2856	7z.exe
Token: SeSecurityPrivilege	2856	7z.exe
Token: SeRestorePrivilege	2704	7z.exe
Token: 35	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeRestorePrivilege	1732	7z.exe
Token: 35	1732	7z.exe
Token: SeSecurityPrivilege	1732	7z.exe
Token: SeSecurityPrivilege	1732	7z.exe
Token: SeRestorePrivilege	2260	7z.exe
Token: 35	2260	7z.exe
Token: SeSecurityPrivilege	2260	7z.exe
Token: SeSecurityPrivilege	2260	7z.exe
Token: SeRestorePrivilege	2192	7z.exe
Token: 35	2192	7z.exe
Token: SeSecurityPrivilege	2192	7z.exe
Token: SeSecurityPrivilege	2192	7z.exe
Token: SeDebugPrivilege	2444	janhidf.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2884	2604	bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2884	2604	bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2884	2604	bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2884	2604	bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2952	2884	cmd.exe	32
PID 2884 wrote to memory of 2952	2884	cmd.exe	32
PID 2884 wrote to memory of 2952	2884	cmd.exe	32
PID 2884 wrote to memory of 2844	2884	cmd.exe	33
PID 2884 wrote to memory of 2844	2884	cmd.exe	33
PID 2884 wrote to memory of 2844	2884	cmd.exe	33
PID 2884 wrote to memory of 408	2884	cmd.exe	34
PID 2884 wrote to memory of 408	2884	cmd.exe	34
PID 2884 wrote to memory of 408	2884	cmd.exe	34
PID 2884 wrote to memory of 2868	2884	cmd.exe	35
PID 2884 wrote to memory of 2868	2884	cmd.exe	35
PID 2884 wrote to memory of 2868	2884	cmd.exe	35
PID 2884 wrote to memory of 2856	2884	cmd.exe	36
PID 2884 wrote to memory of 2856	2884	cmd.exe	36
PID 2884 wrote to memory of 2856	2884	cmd.exe	36
PID 2884 wrote to memory of 2704	2884	cmd.exe	37
PID 2884 wrote to memory of 2704	2884	cmd.exe	37
PID 2884 wrote to memory of 2704	2884	cmd.exe	37
PID 2884 wrote to memory of 1732	2884	cmd.exe	38
PID 2884 wrote to memory of 1732	2884	cmd.exe	38
PID 2884 wrote to memory of 1732	2884	cmd.exe	38
PID 2884 wrote to memory of 2260	2884	cmd.exe	39
PID 2884 wrote to memory of 2260	2884	cmd.exe	39
PID 2884 wrote to memory of 2260	2884	cmd.exe	39
PID 2884 wrote to memory of 2192	2884	cmd.exe	40
PID 2884 wrote to memory of 2192	2884	cmd.exe	40
PID 2884 wrote to memory of 2192	2884	cmd.exe	40
PID 2884 wrote to memory of 1520	2884	cmd.exe	41
PID 2884 wrote to memory of 1520	2884	cmd.exe	41
PID 2884 wrote to memory of 1520	2884	cmd.exe	41
PID 2884 wrote to memory of 2444	2884	cmd.exe	42
PID 2884 wrote to memory of 2444	2884	cmd.exe	42
PID 2884 wrote to memory of 2444	2884	cmd.exe	42
PID 2884 wrote to memory of 2444	2884	cmd.exe	42

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc43542f005e7e181e5efcb2ce047654_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e file.zip -p -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\attrib.exe
    attrib +H "janhidf.exe"
    3⤵
    - Views/modifies file attributes
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\svchost\janhidf.exe
    "janhidf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

Filesize
2.0MB

MD5
6f41afa3a6cb8b9ab48d27264b74d006

SHA1
09a4958cc56fce23633bc46aaf9abc59b372d4f6

SHA256
4b66ad19ffd1ebfafdc2f124022c666d91f87dababbec620e7900775ac62e033

SHA512
f688f72a056c52e7f72b3a0bbfd5d301234b2c26b2a25e1f15e864f5b506654f27893f645971aa79b83a7f4ca857017e8cdd8e5224f45d2899fe67855c033db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

Filesize
40KB

MD5
c4d059eb65f0ef100602977cb470724b

SHA1
f87955e35ac37114b18421395e624b05edd8f23e

SHA256
3cb1b064ec777f9f5b52ddc5524af016e18a35a93ca78c97a0a02d500f537420

SHA512
9d62ffd1a22db85e277f4b635de93314b96d8206bf0824deaee34c3cd0c1f99e70821966cbf6cabcb858d1c215b4090fae5d325d89f801388fe8c2427caeeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

Filesize
40KB

MD5
ab17fb3303553fb9dcfaef296b9737bf

SHA1
078ca72bacc08c066c234448c3f62c33a6b8ef0c

SHA256
57db7ab94f09e2ebfd61e8f40c5d732ac8fc3411e8f04e7b622b70947a5a63d2

SHA512
141b2ec634e9081d087559b7ca16ebd83d98f2eddf37dc3f3c28c7bab81242a97b2d36da07f58f1315b99c90d816c86221a7c3a98b9c3a7b321d85ea49706dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

Filesize
40KB

MD5
0bee242000c9acb11acd866e6e4055f9

SHA1
cbc36f27883eca6e9174cc9cb9ab66b132850e11

SHA256
0dc793cf289016368f2f9737e076e727963c86869624dcc8ca2e35ef74277b2c

SHA512
775d00ab4b47664f8f8d6477dd6225ae672986a6c9a0c6cadd5312ad330ad292bd157895e46c3233b90a29d96fa3f466e0db259cb521446ddf549ec73d72b598

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

Filesize
40KB

MD5
7ab7a6f81ab745eeb5d032951edfed3d

SHA1
1547bb9be9067db86fdc3544b08b0c1554b0ddfc

SHA256
b6d1fb23b9e7b62409e4d1b48c3da752d5fb4a2c6d0e45a85c5c24edf2750286

SHA512
39cc42ab0c8f41f51462e773055ea860b7ed08f87eb6eb56f04b8741893557fa05dab09d257456f55c57e572224ea6c6719b46f6492df94298c71866b6686896

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

Filesize
40KB

MD5
9c3ee1368b9c4c85464d0b231a047b1d

SHA1
178b7d31aa97829e8841f57a3eda3fd3fd93311d

SHA256
07f9dbf8d10d3fe921ae9c79b7ae4e349becffc9e9605ba265c51bae4f29d202

SHA512
f65aad1514067c2890d7716aef35ed4b687cb5f2365dc2ab0ed541e5b70d5e4d1139ae3ab24dffe5358c5b60c48c00ac4f9d3cae767d8bbdda4888dff05fb07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_6.zip

Filesize
41KB

MD5
8baa7100f7fc66c2613b5017dba1de63

SHA1
18915ff2dea9254277f5a49c4c0c0b41c01dce2a

SHA256
1b1956314d295e1da25f93f432d2f50c753594b780e782cbb2c62f623402faa1

SHA512
7c7a338ebad33b0f33533412f2eb10c829b0c292fdbeddb3a7a85d303c4532a179e5002866aa9d74e5904a90060fda57c78d8fda309af8847ff3851d67efdceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_7.zip

Filesize
1.5MB

MD5
3215c7a96d4b07c81db07a1951122845

SHA1
9df1d41bec4e5137a90a20c7760034afebb8ed9e

SHA256
24b5b1d01fff0a359d6451202577e13e944cdad80d0b4f05cbd60273d234faa4

SHA512
c080950c653593c1d0e384fe91c8d7b97d9b3818911204bea7b98658b7a988cdf8722d0432c400635ed320a6793a341e3f86b49b43e66e1460dd4ae4b20d5d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\janhidf.exe

Filesize
99KB

MD5
a42608e928cfd28602e252d4feb52352

SHA1
243d378906e9a4c355c3091ccf2763e0dfdbe33b

SHA256
10a5bbeeb39216bde492a246b1b003bcb2d7c0895dea287b5f8ad4f3428ef3cc

SHA512
ce6a597bd3caee4f141d12c987b41d4041adee78437a8c1803a84c24968a6f35eb3cd3779270479c836e25f19770981f74bfc3ed7509aee44c7a4ef70e2d667d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

Filesize
1.5MB

MD5
a4fa165bef059799cee3ec069dd50d0a

SHA1
dc296aee2892a40b957f354e77fec08781e97bd3

SHA256
7b6000750f4178c5b920aba81f3395f58e214523f7fb8388d6518814ea38abc2

SHA512
60ceced7c1d66d6f64a44e4000a32ec39f62f4d6314e2bf919a49b0180f84b3670a4a8e9de5e3a7eedc504a0c04e33840308be452bcfe374d95aea77d7c7b885

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

Filesize
447B

MD5
5ea9e42fc392826e46615a787e7228fa

SHA1
6a91734d8f9111acfce8f851b247632bb8cab472

SHA256
5f18e250bd5a729ab540c788062bb073a64acc73008c54f47dd6cf2542e880fb

SHA512
d6d9787a7991be8a14044e8ea6cc5737fe4ca09ca45378017987f73850c7a67fca7a9d451a6ddb5711557cb78a8c7c936060ffb1fb2af2802857266d58435227

Download Submit
memory/2444-78-0x0000000000380000-0x000000000039E000-memory.dmp

Filesize
120KB

Download