Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 04:05

General

  • Target

    7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    7285fe11585198388f629e081d1c0f83

  • SHA1

    e68034ebf92b0d78f3c1feaaeedcf6660209df21

  • SHA256

    df57bad53e8a72aad344e6cc2644fe757cf2ae0744a8c0f1c6c0caff63379203

  • SHA512

    9b8179830bc7cd410562f083599a442eab65894e644da4f5e9843d419046744b3fb29a16679fed84f818d08227d8f7839d1ba21dc5d02a44737e342f3400547e

  • SSDEEP

    49152:9kQ8FXrOuMlEmyUQZc36sPjMvU7PbdKJf8EWj:6Q8RDOEmySqsrQoKU

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • RevengeRat Executable 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
      "C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
        "C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2708
      • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Chrome Updater" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1124
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c getmac /v /fo list
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\getmac.exe
        getmac /v /fo list
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2932
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8FF2FF46-EBFA-4F1A-911C-13D83DD5B12F} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
    1⤵
      PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE

      Filesize

      125KB

      MD5

      6a62d4ed369105b26b6133f536160791

      SHA1

      f9e232fb7f7316fbaafcb817235e2406ebd8db79

      SHA256

      fb18c286d846003d2d2888749176b5b032e506eef01a44d3befe0eeed8e99f70

      SHA512

      ea9f9e627cae6ff9204416c97c8ba2db11a14a8aead72a999159c36f8e90e6136e50aafb84d25ff8c1dc1b6ebe1304ea88d4e4bbf5a72515d59653b12c143980

    • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe

      Filesize

      53KB

      MD5

      996f495437c25b794acafc4b0f945a84

      SHA1

      e22fb0120b9988928303323593478edad4887fa3

      SHA256

      d063370cbe1e2d284518607c87c2bcefe02a9446bfbcdf4edf61e340f576d89f

      SHA512

      0fe1086461e38966feec4a43efca63f7585a77ca8ed439ba8e631bc7bdfdb3b34fc3d0a9a285868b47819de80fc2686358833acec28c0eff4e6c1fbed1890d63

    • \Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe

      Filesize

      177KB

      MD5

      76aca22cbb97f33600ac8a57643e9521

      SHA1

      7f0fbe012460ff4ed705f2002190b72f717eab8f

      SHA256

      d8ee7da90047416960c08869a251fac032fa0f9c8bf4ebb7de6ae92cdab5853a

      SHA512

      50d5cca22f2bb9229ab830b3783acda277716a5fe6c0c78060be727153cd1d35171cb1385dd2ad2a7b32a2c1b41fa6d954572f4843d270d8340df00744190ed0

    • memory/2516-0-0x0000000001040000-0x0000000001312000-memory.dmp

      Filesize

      2.8MB

    • memory/2516-1-0x0000000001040000-0x0000000001312000-memory.dmp

      Filesize

      2.8MB

    • memory/2516-2-0x0000000001040000-0x0000000001312000-memory.dmp

      Filesize

      2.8MB

    • memory/2516-3-0x00000000009A0000-0x00000000009D6000-memory.dmp

      Filesize

      216KB

    • memory/2516-27-0x0000000001040000-0x0000000001312000-memory.dmp

      Filesize

      2.8MB

    • memory/2700-10-0x0000000001290000-0x00000000012C2000-memory.dmp

      Filesize

      200KB