healer | 963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe
Size

1.0MB
MD5

1bfa86c8838e1bb8353afe86e01b6f23
SHA1

6aa86b2cd7afb5d9c5d22be9dc7fc676b3a83620
SHA256

963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6
SHA512

ca00434c3b7a35de3132e788e2c52ddf118ff091cc60701d025e4ed53e0e440654ee70b60a5b690d440660f7ab987d539e2e89d8a61d57642ed03ce966d0c582
SSDEEP

24576:fyyrRs1FSiCAvjy6+AeVODlv4Zo7mpS3WsT2fpDCP:qyrRs+xAbfRDN4lpqT2f

Score

10^/10

healer redline ramon discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ramon

193.233.20.23:4123

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023bef-27.dat	healer
behavioral1/memory/3520-28-0x0000000000C40000-0x0000000000C4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bDe05dI51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bDe05dI51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bDe05dI51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bDe05dI51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bDe05dI51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bDe05dI51.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3984-34-0x0000000004D00000-0x0000000004D46000-memory.dmp	family_redline
behavioral1/memory/3984-36-0x0000000004DA0000-0x0000000004DE4000-memory.dmp	family_redline
behavioral1/memory/3984-48-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-60-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-100-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-98-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-96-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-94-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-92-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-90-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-88-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-86-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-84-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-82-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-78-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-76-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-74-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-72-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-70-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-68-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-66-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-64-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-62-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-58-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-56-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-54-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-52-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-50-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-46-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-44-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-42-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-41-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-80-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-38-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline
behavioral1/memory/3984-37-0x0000000004DA0000-0x0000000004DDE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
3468	pTB30OQ23.exe
3924	pGq18Xw49.exe
4416	pJu18iB60.exe
3520	bDe05dI51.exe
3984	cUq48lv79.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bDe05dI51.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pGq18Xw49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pJu18iB60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pTB30OQ23.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cUq48lv79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pTB30OQ23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pGq18Xw49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pJu18iB60.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3520	bDe05dI51.exe
3520	bDe05dI51.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	bDe05dI51.exe
Token: SeDebugPrivilege	3984	cUq48lv79.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3468	1060	JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe	83
PID 1060 wrote to memory of 3468	1060	JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe	83
PID 1060 wrote to memory of 3468	1060	JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe	83
PID 3468 wrote to memory of 3924	3468	pTB30OQ23.exe	84
PID 3468 wrote to memory of 3924	3468	pTB30OQ23.exe	84
PID 3468 wrote to memory of 3924	3468	pTB30OQ23.exe	84
PID 3924 wrote to memory of 4416	3924	pGq18Xw49.exe	85
PID 3924 wrote to memory of 4416	3924	pGq18Xw49.exe	85
PID 3924 wrote to memory of 4416	3924	pGq18Xw49.exe	85
PID 4416 wrote to memory of 3520	4416	pJu18iB60.exe	86
PID 4416 wrote to memory of 3520	4416	pJu18iB60.exe	86
PID 4416 wrote to memory of 3984	4416	pJu18iB60.exe	88
PID 4416 wrote to memory of 3984	4416	pJu18iB60.exe	88
PID 4416 wrote to memory of 3984	4416	pJu18iB60.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_963b346a1d12783037370c577ba6b786e1f149a4a6fa3f5d84d209d975569bd6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTB30OQ23.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTB30OQ23.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pGq18Xw49.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pGq18Xw49.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pJu18iB60.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pJu18iB60.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bDe05dI51.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bDe05dI51.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cUq48lv79.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cUq48lv79.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTB30OQ23.exe

Filesize
906KB

MD5
673dc3883d9250ea689acb48099bc236

SHA1
46699b807647a8e0f096a65e2b7ab37f0b123201

SHA256
ffc541a05047bf9e59fe2b2bca6e7f72917ffac46680a54db142992bab981a50

SHA512
5ac941020b5b5f8c43a265a496449994a3b5d44737f89c992bb41d971e3106fe57bf349e7e00821cb5102b8d195df05bab9b46f089e27f1657726fef6e9497ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pGq18Xw49.exe

Filesize
682KB

MD5
a3d12dc66f8c90f5479b8abf740d9904

SHA1
62d51a710a7c453bfcfe156077bb160a1ed40758

SHA256
6c683b4c6fa020cc8af96ec2b02eea257412ba777c976864edaacaa8baef0407

SHA512
a9852a751f491beeae59e0071e8ed91037a15a667eb599e398dda489c010c1985ccfb09314921480635017903a488f59b1fbdc24dad3ee47d75e9b8f6d00ec23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pJu18iB60.exe

Filesize
399KB

MD5
3b681ca6108610d1e7d8b5190bacc2d6

SHA1
999a450735d985dd46cdd467ce845d440526fc98

SHA256
3673e6bd432f8cd8614783aac1420754bb99b506f598f9977d7ef1eb5e6ab9d4

SHA512
d2ae3a5a5ab56b97dee75686d2aa4d054b8a25eda98df4aff04ef2e594320abb2fdbfb20305f682424ffdf38cd018c8530e35425d22836cc6763327a7a20a648

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bDe05dI51.exe

Filesize
11KB

MD5
0dedb2624e3d8afbff42fd944752a7cb

SHA1
32c96f9b4eea64204d18eb155925e25dc1ef4492

SHA256
4f0631230435053b132b4ea993fed46852ee0b03c066d518f14ee1c5556cb07c

SHA512
de83e37a7fef41196d5ad2b8fe2aa72f1d06d10a6a762965107465a3dc37f3b668bb7ffbda1300212fbe56f6728d61c5efd16eab63552237dbfc0bbdc7066a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cUq48lv79.exe

Filesize
374KB

MD5
9b5ef04e3ab3c694ea112595c7c274bf

SHA1
143b74803ab63806854158d3c49699b2f4693039

SHA256
6ff032e10de78fe3a37d2bfb52e383f5e6c4e31ee7c8527ed88cd5dc836c34cf

SHA512
4b07597d77e417a3e93f8fad63f304a65c98af6f95e36d48dedcf339b6bf6d767520843f36303764b4b7d771c51ea50cbc7e0784cf3c30c6a2611e3b08cca2d6

Download Submit
memory/3520-28-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/3984-76-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-66-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-36-0x0000000004DA0000-0x0000000004DE4000-memory.dmp

Filesize
272KB

Download
memory/3984-48-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-60-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-100-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-98-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-96-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-94-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-92-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-90-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-88-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-86-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-84-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-82-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-78-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-34-0x0000000004D00000-0x0000000004D46000-memory.dmp

Filesize
280KB

Download
memory/3984-74-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-72-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-70-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-68-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-35-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/3984-64-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-62-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-58-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-56-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-54-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-52-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-50-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-46-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-44-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-42-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-41-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-80-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-38-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-37-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

Filesize
248KB

Download
memory/3984-943-0x0000000007800000-0x0000000007E18000-memory.dmp

Filesize
6.1MB

Download
memory/3984-944-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/3984-945-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

Filesize
72KB

Download
memory/3984-946-0x0000000008000000-0x000000000803C000-memory.dmp

Filesize
240KB

Download
memory/3984-947-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download