redline | 717621ec6ce942aa60ea8a69010d094ceaf73b3b8f4967e901d374d56eefc7ce

Analysis

max time kernel
107s
max time network
156s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
05-01-2025 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
Size

167KB
MD5

ade00f4394a2e63d79de0d3e77628c5d
SHA1

b897fbf235867379a028f26b81911836db27a2c0
SHA256

717621ec6ce942aa60ea8a69010d094ceaf73b3b8f4967e901d374d56eefc7ce
SHA512

4724de9bc2385e7d37fc548443a5fa78000f0853a256c02cd9b4eb2e8a4555f4c96db8c4858f8d16efe2e2af74599e4e3b339cebc7ab40c448025fa5ffce4960
SSDEEP

3072:5zGFjXsW6JDBQastL+2yAAf6p5j4pUCGCQLv7mKGTIycohM/9EZFAD8b2:xoXsWU2BD4pUCGfLzmKrycGM/9qJ2

Score

10^/10

redline credential_access defense_evasion discovery execution infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
Contacts a large (135874) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for modification	/dev/misc/watchdog	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 64 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/15/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/45/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/354/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/492/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/665/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/714/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/755/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/2/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/30/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/221/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/310/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/703/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/705/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/5/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/7/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/14/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/144/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/716/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/717/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/38/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/43/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/143/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/317/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/345/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/637/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/718/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/9/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/47/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/341/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/339/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/708/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/710/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/715/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/731/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/28/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/52/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/201/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/680/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/3/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/21/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/35/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/712/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/713/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/13/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/23/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/57/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/485/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/636/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/707/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/187/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/711/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/10/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/17/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/19/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/24/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/36/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/46/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/11/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/679/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/12/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/18/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/307/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/8/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/20/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	704	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/net/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d

Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
729	sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/schedstat/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/6/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/45/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/58/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/680/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/716/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/kallsyms/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/kmsg/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/self/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/16/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/24/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/244/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/702/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/interrupts/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/cpuinfo/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/5/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/31/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/bus/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/tty/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/pressure/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/kpageflags/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/cgroups/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/thread-self/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/diskstats/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/11/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/717/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/key-users/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/meminfo/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/pagetypeinfo/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/cpuinfo/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/38/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/stat/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/loadavg/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/thread-self/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/43/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/47/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/kmsg/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/interrupts/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/execdomains/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/vmallocinfo/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/vmallocinfo/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/4/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/15/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/636/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/fs/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/apm/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/sysvipc/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/swaps/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/18/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/27/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/707/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/stat/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/buddyinfo/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/14/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/201/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/719/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/cpu/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/iomem/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/driver/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/self/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/modules/maps	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/execdomains/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
File opened for reading	/proc/3/cmdline	JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d

/tmp/JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
/tmp/JaffaCakes118_ade00f4394a2e63d79de0d3e77628c5d
1⤵
- Modifies Watchdog functionality
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:704
- /bin/sh
  sh -c "/bin/busybox wget 2>&1"
  2⤵
  PID:724
- - /bin/busybox
    /bin/busybox wget
    3⤵
    PID:727
- /bin/sh
  /bin/sh -c "wget https://urlhaus.abuse.ch/downloads/text_online/ -q"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:729