Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 04:05

General

  • Target

    7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    7285fe11585198388f629e081d1c0f83

  • SHA1

    e68034ebf92b0d78f3c1feaaeedcf6660209df21

  • SHA256

    df57bad53e8a72aad344e6cc2644fe757cf2ae0744a8c0f1c6c0caff63379203

  • SHA512

    9b8179830bc7cd410562f083599a442eab65894e644da4f5e9843d419046744b3fb29a16679fed84f818d08227d8f7839d1ba21dc5d02a44737e342f3400547e

  • SSDEEP

    49152:9kQ8FXrOuMlEmyUQZc36sPjMvU7PbdKJf8EWj:6Q8RDOEmySqsrQoKU

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • RevengeRat Executable 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
      "C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
        "C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2084
      • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:620
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Chrome Updater" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2632
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c getmac /v /fo list
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\getmac.exe
        getmac /v /fo list
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2404
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:548
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:1700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Usermode Font Driver Host.exe.log

    Filesize

    591B

    MD5

    bd95ac96ff31d0b0495938dd64dae2e1

    SHA1

    2a3b064d19c455097a55d56212afda1bde598281

    SHA256

    6a7a49027aefabf3e2923afbb8ff2f1d7d35b95488dd410fa0ace874965c76a1

    SHA512

    3f489a6e9e8f8400bcb76207fc024653641a30a9ee02cc8175173c341976dcc1715a6dcc4ea5b9abad884bdd9730e5f4062194c9fe9736e9ca4e6351f800709f

  • C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE

    Filesize

    125KB

    MD5

    6a62d4ed369105b26b6133f536160791

    SHA1

    f9e232fb7f7316fbaafcb817235e2406ebd8db79

    SHA256

    fb18c286d846003d2d2888749176b5b032e506eef01a44d3befe0eeed8e99f70

    SHA512

    ea9f9e627cae6ff9204416c97c8ba2db11a14a8aead72a999159c36f8e90e6136e50aafb84d25ff8c1dc1b6ebe1304ea88d4e4bbf5a72515d59653b12c143980

  • C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe

    Filesize

    177KB

    MD5

    76aca22cbb97f33600ac8a57643e9521

    SHA1

    7f0fbe012460ff4ed705f2002190b72f717eab8f

    SHA256

    d8ee7da90047416960c08869a251fac032fa0f9c8bf4ebb7de6ae92cdab5853a

    SHA512

    50d5cca22f2bb9229ab830b3783acda277716a5fe6c0c78060be727153cd1d35171cb1385dd2ad2a7b32a2c1b41fa6d954572f4843d270d8340df00744190ed0

  • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe

    Filesize

    53KB

    MD5

    996f495437c25b794acafc4b0f945a84

    SHA1

    e22fb0120b9988928303323593478edad4887fa3

    SHA256

    d063370cbe1e2d284518607c87c2bcefe02a9446bfbcdf4edf61e340f576d89f

    SHA512

    0fe1086461e38966feec4a43efca63f7585a77ca8ed439ba8e631bc7bdfdb3b34fc3d0a9a285868b47819de80fc2686358833acec28c0eff4e6c1fbed1890d63

  • memory/1960-16-0x0000000000460000-0x0000000000492000-memory.dmp

    Filesize

    200KB

  • memory/5000-0-0x00000000003D0000-0x00000000006A2000-memory.dmp

    Filesize

    2.8MB

  • memory/5000-1-0x00000000003D0000-0x00000000006A2000-memory.dmp

    Filesize

    2.8MB

  • memory/5000-2-0x00000000003D0000-0x00000000006A2000-memory.dmp

    Filesize

    2.8MB

  • memory/5000-3-0x0000000006DC0000-0x0000000006DF6000-memory.dmp

    Filesize

    216KB

  • memory/5000-4-0x00000000096C0000-0x000000000975C000-memory.dmp

    Filesize

    624KB

  • memory/5000-38-0x00000000003D0000-0x00000000006A2000-memory.dmp

    Filesize

    2.8MB