Analysis Overview
SHA256
6e583adac8898dc310ba84f6feb3c1c3582ca89b36297cf797959b7763964a10
Threat Level: Known bad
The file 1f5ea06e1c469341653dbec2e519e573_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 19:30
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 19:30
Reported
2024-07-30 04:09
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 13.59.15.185:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 13.59.15.185:18683 | 2.tcp.ngrok.io | tcp |
| US | 13.59.15.185:18683 | 2.tcp.ngrok.io | tcp |
| US | 13.59.15.185:18683 | 2.tcp.ngrok.io | tcp |
| US | 13.59.15.185:18683 | 2.tcp.ngrok.io | tcp |
| US | 13.59.15.185:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 13.59.15.185:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.22.53.161:18683 | 2.tcp.ngrok.io | tcp |
Files
memory/940-0-0x00007FF913005000-0x00007FF913006000-memory.dmp
memory/940-2-0x000000001C240000-0x000000001C70E000-memory.dmp
memory/940-1-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp
memory/940-3-0x000000001BC30000-0x000000001BCD6000-memory.dmp
memory/940-4-0x000000001C780000-0x000000001C7E2000-memory.dmp
memory/940-5-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp
memory/940-6-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp
memory/940-7-0x00007FF913005000-0x00007FF913006000-memory.dmp
memory/940-8-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 19:30
Reported
2024-07-30 04:09
Platform
win7-20240705-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | 2.tcp.ngrok.io | tcp |
| US | 3.138.45.170:18683 | tcp |
Files
memory/1660-0-0x000007FEF5FCE000-0x000007FEF5FCF000-memory.dmp
memory/1660-1-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp
memory/1660-2-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp
memory/1660-3-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp