Extracted

• • Target

    dda761f784da71fb49d313a4e67f6f16_JaffaCakes118

  • Size

    2.0MB

  • MD5

    dda761f784da71fb49d313a4e67f6f16

  • SHA1

    907465151e20d438c54337548086f910c9ae5f6f

  • SHA256

    6771fffbde6927eaa93f84d400a7dc61d17442193e40544f015227495f39c84c

  • SHA512

    e9a93bac4e56f9d1cbe3ce6d506d645a9a6ac2c7ba471466972afdc16fa05d33f26fdd40b0d19bfc5b174c34c09a4d395eba1ea52907b67ac05009b069e42f32

  • SSDEEP

    49152:CzK6IbF8Md2eJYJPjPeANSwbK27PS/00IR99t9Skgq:16Md2eYdp7PSc0IbIkgq

  Score

  10^/10

  redlinesectopratbootkitdiscoveryevasioninfostealerpersistencerattrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Checks whether UAC is enabled

    evasiontrojan

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2