General

  • Target

    JaffaCakes118_4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

  • Size

    20.8MB

  • Sample

    241225-clsl4svjcp

  • MD5

    36b2834c2743039c4df1ce9346886c13

  • SHA1

    1ee1736c4e2aae820b4d6cd80e43fea0ed6eadc6

  • SHA256

    4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

  • SHA512

    43dc749e7002f1ba08b7066e737523a8eaf69365eb148946d6f317234a2eff010307b4210d744a23a7d8641b72ba31fe8735dfcd6d0421537c8ba1293389cd73

  • SSDEEP

    393216:sS8p+jyX+POyHEWdLvAVcybpk43ytUJtUP8kilTun/u1l6I70xA0x4Nsef:sGHtoVchXyKWEIUq02Nsef

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

95.169.210.148:6666

Mutex

bavaulifmjawicwh

Attributes
  • delay

    5

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

Sergey

C2

185.203.243.131:27365

Extracted

Family

njrat

Version

0.7d

Botnet

test

C2

hakim32.ddns.net:2000

2.tcp.ngrok.io:17971

Mutex

7510b18d6d0540b453f74c07e4a22b0c

Attributes
  • reg_key

    7510b18d6d0540b453f74c07e4a22b0c

  • splitter

    |'|'|

Extracted

Family

redline

Botnet

@Seno_47

C2

45.81.227.32:22625

Extracted

Family

redline

Botnet

@Fanat_022

C2

152.228.150.198:11188

Targets

    • Target

      1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98

    • Size

      1.0MB

    • MD5

      0d52c34732339d12e58c62cdcbcd2241

    • SHA1

      b00a95fe388a69d375b4e370fa5112dda61c2ede

    • SHA256

      1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98

    • SHA512

      4da5f2b48663a183cc46799c02179bd5bc84a71993387742984a5c76ca92d4c7aec60d25efe758636a1a006ba8a4032a6e7763c48e9515801db8be6a98d6a3de

    • SSDEEP

      24576:OfQYMfhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRF+G:Vo54clgLH+tkWJ0Nj

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6

    • Size

      541KB

    • MD5

      616b97038b6328ae6e45a08077df4a7a

    • SHA1

      11473c1f0515f06579e7704dc036bbc620c7510a

    • SHA256

      236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6

    • SHA512

      4730733b4be691840fa1905fc4bfeeeba7ebb06e10d24cfe78a285a3e518a2f2ba31bbc378cda68edf4311df322fd137ed1f65d4b844737e9f0df547506c04e0

    • SSDEEP

      12288:vNpszYhvXWSVJdMaeaxxJHuT8DmP79TovFZFW84:FhvJVJdMQPuTVP792gR

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560

    • Size

      405KB

    • MD5

      bf2e00fc28e5f89ec6b3b457a5a245fb

    • SHA1

      d42962e2e987c4cd8201badf832f3368afb09d24

    • SHA256

      25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560

    • SHA512

      e1f61fec329fab9f0bd997e7b34945e156475a53531c30630a03c550e60c029627e5697c5efb6a0a81b2bc23e178264aabfb26c8b68153d7107d367035730b2a

    • SSDEEP

      12288:wa8EKlXgFxY3wBeTLDQknVwtw/eMTM6fXgyyC5Te4A6:wDQkqm7nwHC5ZA

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    • Target

      54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9

    • Size

      15.7MB

    • MD5

      79339229bc0c59d7b5abba71d1c96a8e

    • SHA1

      4c7c22308821a08edeacebe691da49249384de9d

    • SHA256

      54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9

    • SHA512

      a173e48fb0cb08705e56468ffc0a6845b03b261e98d282815eebdf77f482064a9c89f84ada89ef3aa994d0727db34629ff51e021bbcf8abd6fac5354ce295af2

    • SSDEEP

      393216:jhufPMmrg+zE0xNXm9wphJ/4ODYo1lgvx5Okbp:ofZtW9wpQ2SLOk1

    Score
    3/10
    • Target

      7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4

    • Size

      4.5MB

    • MD5

      dde0965428c655c1fabbcba5a44e7830

    • SHA1

      b5118f55982bf9784bb34a3f0af738f7d409a5ff

    • SHA256

      7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4

    • SHA512

      f6b83ff23e0e7102a69bf43e723f312acb0bbf95e04d7386513cc2c5b2f9e160f0f38b179688702675ecb7c4a0782fad1f007f3db59c2104aa08a7cdcc6b2e13

    • SSDEEP

      98304:t38JVPdnSYmzQTkZKhu8PXq7Yf7nRSVfbmfgwLAG:Z85nYUjCkTnR6fPQAG

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Target

      9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0

    • Size

      359KB

    • MD5

      f476fd152a5d6a53f297517f9ffca28e

    • SHA1

      a0bc4cb4763de9f540fca4f97835522620087e17

    • SHA256

      9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0

    • SHA512

      56f683733356faa4be86883e3248ab70884c645e61dedc7ceba64eefa4813b2fda04d102e7b8c5794093f2c5918049900da987b2e235764e4ea87e78224003dc

    • SSDEEP

      6144:2IN5Yqofb4MI1XfPpnvTGLkZ96Tvu2fHk+:2C5Y3fb4MINfPpnvCLkZ96TvffHk+

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b

    • Size

      83KB

    • MD5

      4ed7de390496be3ec2ea7fdb3804282a

    • SHA1

      2c919d469853fac9a7719f59407b395e8e360a49

    • SHA256

      a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b

    • SHA512

      5716a8d9d86f9b1f1ad53f3fca96b5622b83ede56d370edc309a503263ad52b542b29e5d74810aed013e9f2e00b77b8c54d81aa0b43c77bfdf5bc7227251bd86

    • SSDEEP

      1536:83kml69eWJKrec/tOu6Qes2cI2FDrj7fk1ImNUITeT0MB:80mlketr1/Qu6o2QFkSmN4p

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

    • Size

      206KB

    • MD5

      70c771952bc897446d3ddad90541a1e6

    • SHA1

      b00b50a893e4552651c4a5c38cf4bb9aed7a101e

    • SHA256

      aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

    • SHA512

      33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

    • SSDEEP

      3072:UVqoCl/YgjxEufVU0TbTyDDalW49D9fMiSE9CCHGOn54yWgW9tFwyMJjVQbE/FGl:UsLqdufVUNDapD9fMs9u7

    • Modifies visiblity of hidden/system files in Explorer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827

    • Size

      48KB

    • MD5

      13ed5f6560bb91d089f56bd4ca015ff0

    • SHA1

      f43cd2a78815c1ca4091207a8f36cc68398550bf

    • SHA256

      d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827

    • SHA512

      5d6adf163ca3e18691fc0b34ce1b8277a540e93cb387ae7813bc1dbc84d2c75ca8ff462e67083c08ae4f3cdfdfb1f2671cdd30738f6bbf824b2a93bda7043ad2

    • SSDEEP

      768:OqXwHbXXUIbp98FZbMF1NCxRGa0baDHJeRdlYnXVEK44pDBNYI6OCF2tYcFmVc6K:O5bp84v4+baD8RdloyK99x6OoKmVcl

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

MITRE ATT&CK Enterprise v15

Tasks

static1

ratnullasyncrat
Score
10/10

behavioral1

Score
6/10

behavioral2

discoveryspywarestealer
Score
7/10

behavioral3

redlinesectoprat@seno_47discoveryinfostealerrattrojan
Score
10/10

behavioral4

redlinesectoprat@seno_47discoveryinfostealerrattrojan
Score
10/10

behavioral5

redlinesectoprat@fanat_022discoveryinfostealerrattrojan
Score
10/10

behavioral6

redlinesectoprat@fanat_022discoveryinfostealerrattrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

discovery
Score
3/10

behavioral9

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral10

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral11

redlinesectopratsergeydiscoveryinfostealerrattrojan
Score
10/10

behavioral12

redlinesectopratsergeydiscoveryinfostealerrattrojan
Score
10/10

behavioral13

njrattestdiscoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral14

discoveryevasionpersistenceprivilege_escalation
Score
8/10

behavioral15

discoveryevasionexecutionpersistence
Score
10/10

behavioral16

discoveryevasionexecutionpersistence
Score
10/10

behavioral17

asyncratnullrat
Score
10/10

behavioral18

asyncratnullrat
Score
10/10