Overview

overview

10

Static

static

3

JaffaCakes...57.exe

windows7-x64

10

JaffaCakes...57.exe

windows10-2004-x64

10

$TEMP/K3M6...22.exe

windows7-x64

10

$TEMP/K3M6...22.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_d12f20d20f23819ef3448bc10873ba57

  • Size

    4.6MB

  • Sample

    250109-ywcjjazkaz

  • MD5

    d12f20d20f23819ef3448bc10873ba57

  • SHA1

    961ab360fa4588bcf7494a08914a59f029d8f5e7

  • SHA256

    7a5fc736a94166592a370b8b311656517e2df180917bbc61fc688eb7df0915cb

  • SHA512

    392d851bda9796a3c351f5b998df90a5e0f1dc116e3ba66f73ad86d254a1d2ca1c526c3f18cd6f4ede626a1fe4001c7e30af021ada55e1adf57d3faa2f624c16

  • SSDEEP

    98304:Uq8eNY5p0ExtC6RpPwVsniC5u/BDLTABEp0moOjtchoKCa:Uqup0Ex8ArMdPABEp0pAKhfCa

Score
10/10
redline@zxckostyan4ikdiscoveryexecutioninfostealer

Malware Config

Extracted

Family

redline

Botnet

@zxckostyan4ik

C2

95.181.152.6:46927

Attributes
  • auth_value

    cdf3919a262c0d6ba99116b375d7551c

Targets

    • Target

      JaffaCakes118_d12f20d20f23819ef3448bc10873ba57

    • Size

      4.6MB

    • MD5

      d12f20d20f23819ef3448bc10873ba57

    • SHA1

      961ab360fa4588bcf7494a08914a59f029d8f5e7

    • SHA256

      7a5fc736a94166592a370b8b311656517e2df180917bbc61fc688eb7df0915cb

    • SHA512

      392d851bda9796a3c351f5b998df90a5e0f1dc116e3ba66f73ad86d254a1d2ca1c526c3f18cd6f4ede626a1fe4001c7e30af021ada55e1adf57d3faa2f624c16

    • SSDEEP

      98304:Uq8eNY5p0ExtC6RpPwVsniC5u/BDLTABEp0moOjtchoKCa:Uqup0Ex8ArMdPABEp0pAKhfCa

    Score
    10/10
    redline@zxckostyan4ikdiscoveryexecutioninfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      $TEMP/K3M6Ljh9fd22.exe

    • Size

      881KB

    • MD5

      ce5a9ec35a54e669820589d15f1faa07

    • SHA1

      68a5aaa46aa2ce2c3083486f8e265e050cd421ac

    • SHA256

      a5317940f3f36d4c047ef70fcef5aedcdcdb0d9afae7ccfb3220190f09dab15b

    • SHA512

      eb097778c480b9e1bd396895ef86727997cb1c0bd1c3d6863a3d711216c2ce64d1ff647987b57c0e67b9b9673526cd28bc83aaf7177e11a9b348e2960f535131

    • SSDEEP

      12288:X7R++fMJpn22QJZu4+miW4C0mk/6K3aY6Lla4+4RWkepjQEppJjZwtGwfi2FsYD5:rRanLQJZu/Bmki6ExdepH7AhEYFpYq

    Score
    10/10
    redline@zxckostyan4ikdiscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline
    behavioral3behavioral4

    • Target

      $TEMP/Selfconvened.exe

    • Size

      4.5MB

    • MD5

      64b5e984fda860eedf19c29a124094fb

    • SHA1

      760c195741989e17b48ad52c13bed35e8ea51692

    • SHA256

      1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

    • SHA512

      187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

    • SSDEEP

      98304:xLIWL25lsofrCgl5PmHGjCYv8LHPrVWPa5Qwy:Fslsofuit0bJWPa5QJ

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks