revengerat | 117c5cf0e27bf23b55685767432ab6d2819a52c91423ed0eb74c221d96b6ce98

General

Target

receipt_ups.js
Size

217KB
MD5

3cf58910eb5201dac3201d875f399c31
SHA1

6ececbecf3d424663818288c69882037ab261347
SHA256

117c5cf0e27bf23b55685767432ab6d2819a52c91423ed0eb74c221d96b6ce98
SHA512

98ceeabb6b4227eb0d694cce02e58700dd24375985e4e4ab728039aeb8080fa44dee8c2cdec4eb651eb582a5b422add91dd635157fbe011dbfa7ec911209929a

Score

10^/10

revengerat vjw0rm nyancatrevenge persistence trojan worm

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

macjoe597.duia.ro:3175

Mutex

1e858dc786914c61

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9998

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

10 4176 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

macjoe597.exe

pid process

4548 macjoe597.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt_ups.js wscript.exe

flow	pid	process
10	4176	wscript.exe

pid	process
4548	macjoe597.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt_ups.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSAGQWKNY8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\receipt_ups.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4700 schtasks.exe

pid	process
4700	schtasks.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 4176 wrote to memory of 3948	4176	wscript.exe	wscript.exe
PID 4176 wrote to memory of 3948	4176	wscript.exe	wscript.exe
PID 3948 wrote to memory of 4548	3948	wscript.exe	macjoe597.exe
PID 3948 wrote to memory of 4548	3948	wscript.exe	macjoe597.exe
PID 3948 wrote to memory of 4548	3948	wscript.exe	macjoe597.exe
PID 4176 wrote to memory of 4700	4176	wscript.exe	schtasks.exe
PID 4176 wrote to memory of 4700	4176	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt_ups.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jwYBCcIuxH.js"
2⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Roaming\macjoe597.exe
"C:\Users\Admin\AppData\Roaming\macjoe597.exe"
3⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\receipt_ups.js
2⤵
- Creates scheduled task(s)
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jwYBCcIuxH.js
MD5
dc35305ce8737616ea2e943fa3a03785

SHA1
593fa4530ac2d799fc3b288a70ea655e08334113

SHA256
c12833fbe7ece48a19bad103998ce39b1ed0946c10033ea26edc717c6e989b45

SHA512
04f086a02a711798adcd4b83af5986da9129684182e7557b16210486b35ae9870a8f9b38603c970b935c54f6530e01038ed5950691a1c3fc5b18f6383939e58d

Download Submit
C:\Users\Admin\AppData\Roaming\macjoe597.exe
MD5
6f2422ca1b1665f0c181784b3738e100

SHA1
0ec0385993acd6fd49a13e670bc62904e7067e02

SHA256
977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85

SHA512
e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34

Download Submit
C:\Users\Admin\AppData\Roaming\macjoe597.exe
MD5
6f2422ca1b1665f0c181784b3738e100

SHA1
0ec0385993acd6fd49a13e670bc62904e7067e02

SHA256
977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85

SHA512
e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34

Download Submit
memory/3948-115-0x0000000000000000-mapping.dmp

Download
memory/4548-117-0x0000000000000000-mapping.dmp

Download
memory/4548-121-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4700-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads