revengerat | be884e9005d0b66c3543229a73ac9451fc73cc691c70a54b8eeda0a219cf0bed

General

Target

ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe
Size

60KB
MD5

ea0ffebc6b7bb611350224fdafac0c85
SHA1

637c6d38ef83148265df8e9335414a0eae556030
SHA256

be884e9005d0b66c3543229a73ac9451fc73cc691c70a54b8eeda0a219cf0bed
SHA512

63f92c2ebad7a934db935267d911434c1ad749d3a5c054c1cf5ed22ee9761ada8d81379ccc5759d6dd1eb85841eacef1b2ebed98f48f35d0a04d28b17386ed50
SSDEEP

768:CG8m4DszmxaYzYy91qzVzIdBqoNyHxaDn2EpdSd5eGvliFz2TozYcHe+Z:X6DsiB01VzayRun2xCkD+

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Caspol	revengerat

Suspicious use of SetThreadContext 2 IoCs

Processes:

ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exeCasPol.exe

description	pid	process	target process
PID 1684 set thread context of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 2988 set thread context of 2584	2988	CasPol.exe	CasPol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

3008 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exeCasPol.exe

description pid process

Token: SeDebugPrivilege 1684 ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe
Token: SeDebugPrivilege 2988 CasPol.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

3008 AcroRd32.exe
3008 AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings	rundll32.exe

pid	process
3008	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe
Token: SeDebugPrivilege	2988	CasPol.exe

pid	process
3008	AcroRd32.exe
3008	AcroRd32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exeCasPol.exerundll32.exe

description	pid	process	target process
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 1684 wrote to memory of 2988	1684	ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2584	2988	CasPol.exe	CasPol.exe
PID 2988 wrote to memory of 2960	2988	CasPol.exe	rundll32.exe
PID 2988 wrote to memory of 2960	2988	CasPol.exe	rundll32.exe
PID 2988 wrote to memory of 2960	2988	CasPol.exe	rundll32.exe
PID 2988 wrote to memory of 2960	2988	CasPol.exe	rundll32.exe
PID 2988 wrote to memory of 2960	2988	CasPol.exe	rundll32.exe
PID 2988 wrote to memory of 2960	2988	CasPol.exe	rundll32.exe
PID 2988 wrote to memory of 2960	2988	CasPol.exe	rundll32.exe
PID 2960 wrote to memory of 3008	2960	rundll32.exe	AcroRd32.exe
PID 2960 wrote to memory of 3008	2960	rundll32.exe	AcroRd32.exe
PID 2960 wrote to memory of 3008	2960	rundll32.exe	AcroRd32.exe
PID 2960 wrote to memory of 3008	2960	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea0ffebc6b7bb611350224fdafac0c85_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:2584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Caspol
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Caspol"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RrUUgHRHXJ.txt
Filesize
84B

MD5
cbda19b376fb3858900b87aed6304f42

SHA1
236c4004c2f7829a1d18a905db7b6e8a8e5bda45

SHA256
200e9bf0c4bc7105d3c7d930ba754f071bdd1cc66a9b1eb5a07fd5029c47945b

SHA512
a168940fd9fd3299787ac679c19c453944357ec162f39b08e2b3fa4feb17de0e3c6d64c16dc8073569f4f3c2c64e14227f6c550d04b5134c9c792b248860a4c0

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
6f05732c796a6bcc44d73cd16f2eca4c

SHA1
6145275905b05071adf10f4111762559dbe5122c

SHA256
6ba0a71f26a5adbd7fba949a6db73bf261a900f48f1c6d4575f80ae224c535ad

SHA512
739071b831c5e7c86971fc51a5cdac77ed1a0a09e9d131293c6f8d3173b173055dbc771e7cbbbf817c1473485ff0e9798c9de65079d9ad307ca518a503073f33

Download Submit
C:\Users\Admin\AppData\Roaming\Caspol
Filesize
60KB

MD5
ea0ffebc6b7bb611350224fdafac0c85

SHA1
637c6d38ef83148265df8e9335414a0eae556030

SHA256
be884e9005d0b66c3543229a73ac9451fc73cc691c70a54b8eeda0a219cf0bed

SHA512
63f92c2ebad7a934db935267d911434c1ad749d3a5c054c1cf5ed22ee9761ada8d81379ccc5759d6dd1eb85841eacef1b2ebed98f48f35d0a04d28b17386ed50

Download Submit
memory/1684-18-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-2-0x0000000001E00000-0x0000000001E40000-memory.dmp

Filesize
256KB

Download
memory/1684-0-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-41-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2584-34-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2584-45-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-42-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-38-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2584-33-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2584-21-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2584-23-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2584-27-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2584-25-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/2988-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-20-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2988-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-43-0x00000000052B0000-0x00000000052F0000-memory.dmp

Filesize
256KB

Download
memory/2988-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-44-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2988-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-46-0x00000000052B0000-0x00000000052F0000-memory.dmp

Filesize
256KB

Download
memory/2988-50-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2988-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads