redline | 0823571bf2ec2fe312740dfb557536d1ee59b62e502e81d4e8f577e702514c59

Analysis

max time kernel
138s
max time network
152s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe
Size

747.6MB
MD5

97deb4fcf4c69ab166fd1301455b5dfa
SHA1

0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58
SHA256

0823571bf2ec2fe312740dfb557536d1ee59b62e502e81d4e8f577e702514c59
SHA512

16d83960c7f4fe98031a13a889a3fa994fe504f7300acb251bb6e819327448da8ff4ddc59ee8efdada34cd025a3e4b89f24a7f89dcd3e6b543338a9da6ab5e9b
SSDEEP

12288:BLotIV4X2N9Ogad7pPnJvVKBenSvq33OKjmhI9YSb1jnWLsUmVw3kEun6dHS:Uc4X2TcNpPJdKUiAO8ivMjWLsRV

Score

10^/10

redline ppiinstall discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ppiinstall

5.255.103.64:80

Attributes

auth_value
5b4e066b64a55bd70f10196ec142d81e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2172-47-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/2172-53-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/2172-54-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline

Redline family
redline

Deletes itself 1 IoCs

pid	Process
2816	Brooklyn.exe.pif

Executes dropped EXE 1 IoCs

pid	Process
2816	Brooklyn.exe.pif

Loads dropped DLL 7 IoCs

pid	Process
2308	cmd.exe
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.com
5	iplogger.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2252	tasklist.exe
2848	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 2172	2816	Brooklyn.exe.pif	44

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Brooklyn.exe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tapiunattend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
444	cmd.exe
2924	PING.EXE
2880	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2924	PING.EXE
2880	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	tasklist.exe
Token: SeDebugPrivilege	2848	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif
2816	Brooklyn.exe.pif

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2524	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	30
PID 2128 wrote to memory of 2524	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	30
PID 2128 wrote to memory of 2524	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	30
PID 2128 wrote to memory of 2524	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	30
PID 2128 wrote to memory of 444	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	31
PID 2128 wrote to memory of 444	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	31
PID 2128 wrote to memory of 444	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	31
PID 2128 wrote to memory of 444	2128	JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe	31
PID 444 wrote to memory of 2308	444	cmd.exe	33
PID 444 wrote to memory of 2308	444	cmd.exe	33
PID 444 wrote to memory of 2308	444	cmd.exe	33
PID 444 wrote to memory of 2308	444	cmd.exe	33
PID 2308 wrote to memory of 2252	2308	cmd.exe	34
PID 2308 wrote to memory of 2252	2308	cmd.exe	34
PID 2308 wrote to memory of 2252	2308	cmd.exe	34
PID 2308 wrote to memory of 2252	2308	cmd.exe	34
PID 2308 wrote to memory of 1540	2308	cmd.exe	35
PID 2308 wrote to memory of 1540	2308	cmd.exe	35
PID 2308 wrote to memory of 1540	2308	cmd.exe	35
PID 2308 wrote to memory of 1540	2308	cmd.exe	35
PID 2308 wrote to memory of 2848	2308	cmd.exe	37
PID 2308 wrote to memory of 2848	2308	cmd.exe	37
PID 2308 wrote to memory of 2848	2308	cmd.exe	37
PID 2308 wrote to memory of 2848	2308	cmd.exe	37
PID 2308 wrote to memory of 2952	2308	cmd.exe	38
PID 2308 wrote to memory of 2952	2308	cmd.exe	38
PID 2308 wrote to memory of 2952	2308	cmd.exe	38
PID 2308 wrote to memory of 2952	2308	cmd.exe	38
PID 2308 wrote to memory of 2776	2308	cmd.exe	39
PID 2308 wrote to memory of 2776	2308	cmd.exe	39
PID 2308 wrote to memory of 2776	2308	cmd.exe	39
PID 2308 wrote to memory of 2776	2308	cmd.exe	39
PID 2308 wrote to memory of 2816	2308	cmd.exe	40
PID 2308 wrote to memory of 2816	2308	cmd.exe	40
PID 2308 wrote to memory of 2816	2308	cmd.exe	40
PID 2308 wrote to memory of 2816	2308	cmd.exe	40
PID 2308 wrote to memory of 2924	2308	cmd.exe	41
PID 2308 wrote to memory of 2924	2308	cmd.exe	41
PID 2308 wrote to memory of 2924	2308	cmd.exe	41
PID 2308 wrote to memory of 2924	2308	cmd.exe	41
PID 444 wrote to memory of 2880	444	cmd.exe	42
PID 444 wrote to memory of 2880	444	cmd.exe	42
PID 444 wrote to memory of 2880	444	cmd.exe	42
PID 444 wrote to memory of 2880	444	cmd.exe	42
PID 2816 wrote to memory of 2172	2816	Brooklyn.exe.pif	44
PID 2816 wrote to memory of 2172	2816	Brooklyn.exe.pif	44
PID 2816 wrote to memory of 2172	2816	Brooklyn.exe.pif	44
PID 2816 wrote to memory of 2172	2816	Brooklyn.exe.pif	44
PID 2816 wrote to memory of 2172	2816	Brooklyn.exe.pif	44
PID 2816 wrote to memory of 2172	2816	Brooklyn.exe.pif	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97deb4fcf4c69ab166fd1301455b5dfa.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\tapiunattend.exe
  tapiunattend.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Inspector.xlam & ping -n 5 localhost
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AvastUI.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avastui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AVGUI.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avgui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^rsFkfaUC$" Packed.xlam
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brooklyn.exe.pif
      Brooklyn.exe.pif E
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2924
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Inspector.xlam

Filesize
11KB

MD5
62b35fde6c3bd929b14455f42a7aba51

SHA1
ca3e32ea3b20d1ffe83189a7bfe4c856c0a64220

SHA256
a34ad5c227a3eaccc64273e053b932282188e8132041458d09ec3016e21af84a

SHA512
ec9579a596d9e7d398f10c23bbb90daa83f201725488f0248cd33b25271ff52c9a161de5652e37f87f63a10831e5bb148d8a9d4beffdb557d35db29862834ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Packed.xlam

Filesize
925KB

MD5
6e886da9317a2e0ae693d7e5bc6fe832

SHA1
df79b26408412284d1af644e7c4f617257d86d63

SHA256
67d53fac4523f6621e1033d2ab97a8787fcddba8695fd39626d7186b7b53864b

SHA512
5375befe56fa5c53dc860b9b6d2319b2020b3aec2c7130a9e48e43a624f4fe5582667dbe12d740cc6c081bd32301d3790bd1aa6f3991b7d1a6ba5baa766f6b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Recipe.xlam

Filesize
695KB

MD5
450f295303a69c7cc5bbf525d1bce8a8

SHA1
93b69407d3a6281939b782ed6ee739bea92e138d

SHA256
f525858ebbba889dd5332628a9b0c7fa0ab69466eb42868205c123bbb82a66d7

SHA512
c813f284c24e6df83c8424db5d60bba86b1c987f50d24841536aa0785bf64e2576f81b60c3a145150e2aa7f412c796b86ed21dca27a1a2c2ce700f87ee13611e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brooklyn.exe.pif

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UiFrOPXxH.dll

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/2172-47-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2172-53-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2172-54-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download