revengerat | e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

General

Target

82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe
Size

56KB
MD5

82c482f8af3d699aeb51034dc506cd1c
SHA1

1c65ce6be62627ee36db9c1b1d912297e6f99abe
SHA256

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3
SHA512

6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899
SSDEEP

768:Bs+U4zL+fRTtmqOE1UpUrz5bLLgwernMqxNTzFNBvKKU1RkWEy7mELj2T0p:I4PCbOE1UpUn5TextFNlbU1RkUmEt

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000e000000013420-6.dat	revengerat

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.URL	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	svnosht.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.vbs	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.js	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.lnk	svnosht.exe

Executes dropped EXE 3 IoCs

pid	Process
2640	svnosht.exe
1612	svnosht.exe
900	svnosht.exe

Loads dropped DLL 3 IoCs

pid	Process
1228	82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe
1228	82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe
2640	svnosht.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\svnosht.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svnosht.exe"	svnosht.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
344	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	svnosht.exe
Token: SeDebugPrivilege	1612	svnosht.exe
Token: SeDebugPrivilege	900	svnosht.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2640	1228	82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe	28
PID 1228 wrote to memory of 2640	1228	82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe	28
PID 1228 wrote to memory of 2640	1228	82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe	28
PID 1228 wrote to memory of 2640	1228	82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe	28
PID 2640 wrote to memory of 1336	2640	svnosht.exe	31
PID 2640 wrote to memory of 1336	2640	svnosht.exe	31
PID 2640 wrote to memory of 1336	2640	svnosht.exe	31
PID 2640 wrote to memory of 1336	2640	svnosht.exe	31
PID 1336 wrote to memory of 1840	1336	vbc.exe	33
PID 1336 wrote to memory of 1840	1336	vbc.exe	33
PID 1336 wrote to memory of 1840	1336	vbc.exe	33
PID 1336 wrote to memory of 1840	1336	vbc.exe	33
PID 2640 wrote to memory of 344	2640	svnosht.exe	34
PID 2640 wrote to memory of 344	2640	svnosht.exe	34
PID 2640 wrote to memory of 344	2640	svnosht.exe	34
PID 2640 wrote to memory of 344	2640	svnosht.exe	34
PID 1724 wrote to memory of 1612	1724	taskeng.exe	37
PID 1724 wrote to memory of 1612	1724	taskeng.exe	37
PID 1724 wrote to memory of 1612	1724	taskeng.exe	37
PID 1724 wrote to memory of 1612	1724	taskeng.exe	37
PID 1724 wrote to memory of 900	1724	taskeng.exe	38
PID 1724 wrote to memory of 900	1724	taskeng.exe	38
PID 1724 wrote to memory of 900	1724	taskeng.exe	38
PID 1724 wrote to memory of 900	1724	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82c482f8af3d699aeb51034dc506cd1c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Roaming\svnosht.exe
  "C:\Users\Admin\AppData\Roaming\svnosht.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gtkrq_am.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES250F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc250E.tmp"
      4⤵
      PID:1840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "svnosht.exe" /tr "C:\Users\Admin\AppData\Roaming\svnosht.exe"
    3⤵
    - Creates scheduled task(s)
    PID:344

C:\Windows\system32\taskeng.exe
taskeng.exe {0FD21FEA-8152-4078-B016-7AF19338AF5F} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\svnosht.exe
  C:\Users\Admin\AppData\Roaming\svnosht.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Users\Admin\AppData\Roaming\svnosht.exe
  C:\Users\Admin\AppData\Roaming\svnosht.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES250F.tmp

Filesize
1KB

MD5
582f057cd681bceb004ef69ea8b20f7c

SHA1
e6a6f0f51f1c4047a791ac2f6097504ca8c8bb49

SHA256
e89ddaaccf5f3de5a7a7151e0faa4e4d594767f344a3cf8782f077c0c5d45437

SHA512
c480c479e3bbe7c62a74ab76105c654eb828f70f700728cd03c30beb04590a4619e5c5f58db7110e2d9e80a83195aba5a4dc2aaee77f9a5ffde57d413c5a76eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtkrq_am.0.vb

Filesize
151B

MD5
dbc11087af9a5a5bc73f3eec9e1a88bd

SHA1
d3a7da895f39e5377aafb2e3a25da4c482f99b67

SHA256
058e29b22e8495d1fcdb2ef994b9f6bf276066f5ab89d1d2d658d8945d55254b

SHA512
80a37a1b0dae14a673e82f869f170541f301a6c1d0c81842cc0ab5529bc68eb56c46e328a4d659e7d5b8ab9e105fa604b7b03c8f96c1412d39eabfe61939e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtkrq_am.cmdline

Filesize
198B

MD5
0ff1dcbecc4bf68698e18ef7eaefa662

SHA1
704a752b6fce6eb64dc1f4e143c441acd929b1f3

SHA256
6ecdf069f33770da263efacd24a3e4f35d99600e4837463c65166c91e605a4b6

SHA512
85b2397e9aa0078ee728cc4cf757138f21e4d2c320127b17500701c0e347d36592ea08555e4c14097d2cfb3282771cee4af1790f2acdb4601a108a282136bf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc250E.tmp

Filesize
676B

MD5
6c51e75b6e74d5d4c93ad5da8b15790e

SHA1
0f2f268d354c03fb11ac6b5548650de793583535

SHA256
a646a41cad107940e782bd4ccc785772521bd03851e65684defcc70bcab85995

SHA512
b9451ce5d60f4ce3b898cc9f5696d4a2146de5805f4fa36f055eb6a3d2176ec7818c8736712e51f64a4b02af0584ceac5c3f3bcb84918b01e4df0244ff42cbda

Download Submit
\Users\Admin\AppData\Roaming\svnosht.exe

Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
memory/1228-1-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-2-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-3-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-13-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-0-0x0000000074741000-0x0000000074742000-memory.dmp

Filesize
4KB

Download
memory/2640-15-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-18-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-17-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-16-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads