Malware Analysis Report

2024-10-19 08:43

Sample ID 240725-t9nrhavgrf
Target 706a0007757e04f537cab552db5a0fd7_JaffaCakes118
SHA256 4082a22131a166a8ff103e2e47d0080b65243e49c578d94d81a65ef26efb1e0a
Tags
stealer revengerat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4082a22131a166a8ff103e2e47d0080b65243e49c578d94d81a65ef26efb1e0a

Threat Level: Known bad

The file 706a0007757e04f537cab552db5a0fd7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat

RevengeRat Executable

Revengerat family

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 16:45

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 16:45

Reported

2024-07-25 18:29

Platform

win7-20240704-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Laura.jar"

Network

N/A

Files

memory/1944-0-0x000007FEF5A2E000-0x000007FEF5A2F000-memory.dmp

memory/1944-1-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/1944-2-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/1944-4-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Laura.jar

MD5 494791abbc84c5933bbb81c598b0cf42
SHA1 a9fd2a2c807d3dc5c9d0a88b512d89878b182f29
SHA256 fd0a6a158132efde236f56b1ad8ec9e1fdd1f0d50ee2bc76b9b2900fe832ea70
SHA512 7b8e4e6bd7b598ca027c0690f60154e679d4e517e554c8606ecd90dfa2bfe2788ae9c0227cbbe46b91dc782316bfb139f79a6e2e2972fc78fea1db28fd9aa1a3

memory/2016-8-0x0000000002210000-0x0000000002480000-memory.dmp

memory/2016-16-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2016-17-0x0000000002210000-0x0000000002480000-memory.dmp

memory/1944-18-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 16:45

Reported

2024-07-25 19:43

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\706a0007757e04f537cab552db5a0fd7_JaffaCakes118.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Laura.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3280-0-0x00007FFE084C5000-0x00007FFE084C6000-memory.dmp

memory/3280-1-0x00007FFE08210000-0x00007FFE08BB1000-memory.dmp

memory/3280-2-0x000000001C1D0000-0x000000001C69E000-memory.dmp

memory/3280-3-0x00007FFE08210000-0x00007FFE08BB1000-memory.dmp

memory/3280-4-0x000000001C6A0000-0x000000001C746000-memory.dmp

memory/3280-5-0x000000001C7F0000-0x000000001C88C000-memory.dmp

memory/3280-6-0x0000000001470000-0x0000000001478000-memory.dmp

memory/3280-7-0x000000001C920000-0x000000001C96C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Laura.jar

MD5 494791abbc84c5933bbb81c598b0cf42
SHA1 a9fd2a2c807d3dc5c9d0a88b512d89878b182f29
SHA256 fd0a6a158132efde236f56b1ad8ec9e1fdd1f0d50ee2bc76b9b2900fe832ea70
SHA512 7b8e4e6bd7b598ca027c0690f60154e679d4e517e554c8606ecd90dfa2bfe2788ae9c0227cbbe46b91dc782316bfb139f79a6e2e2972fc78fea1db28fd9aa1a3

memory/3280-13-0x00007FFE08210000-0x00007FFE08BB1000-memory.dmp

memory/2936-14-0x0000023FA4D60000-0x0000023FA4FD0000-memory.dmp

memory/2936-23-0x0000023FA3470000-0x0000023FA3471000-memory.dmp

memory/2936-24-0x0000023FA4D60000-0x0000023FA4FD0000-memory.dmp

memory/3280-26-0x00007FFE08210000-0x00007FFE08BB1000-memory.dmp