General

  • Target

    JaffaCakes118_d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e

  • Size

    700.0MB

  • Sample

    241225-tn3njaxqax

  • MD5

    9a2c573e882d31251e1bcd07ba90585f

  • SHA1

    d46878f2ad28df08972371a617bce73ae623523c

  • SHA256

    d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e

  • SHA512

    40ac3d1cca6bb8eb7ccfb0d1ae0467423b0355ee5cded84b1095a284f08cecbd70325b808df933d47a7af60081470ad71ee1021e724759227379052302ff3894

  • SSDEEP

    98304:h9eCUTzzphq1G/jxZIo0YYUOJimJJQYts5JcyTcvg6BtufkCJ:PefTzVhqpP9JvgpTcvf7ufz

Malware Config

Extracted

Family

redline

Botnet

Notepad_2

C2

194.36.177.124:39456

Attributes
  • auth_value

    37464cc4dd294b9925a8c1092e1c72a9

Targets

    • Target

      JaffaCakes118_d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e

    • Size

      700.0MB

    • MD5

      9a2c573e882d31251e1bcd07ba90585f

    • SHA1

      d46878f2ad28df08972371a617bce73ae623523c

    • SHA256

      d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e

    • SHA512

      40ac3d1cca6bb8eb7ccfb0d1ae0467423b0355ee5cded84b1095a284f08cecbd70325b808df933d47a7af60081470ad71ee1021e724759227379052302ff3894

    • SSDEEP

      98304:h9eCUTzzphq1G/jxZIo0YYUOJimJJQYts5JcyTcvg6BtufkCJ:PefTzVhqpP9JvgpTcvf7ufz

    • Detect PureCrypter injector

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Purecrypter family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks