Malware Analysis Report

2024-10-19 08:43

Sample ID 240728-x7wacavaja
Target 1f5ea06e1c469341653dbec2e519e573_JaffaCakes118
SHA256 6e583adac8898dc310ba84f6feb3c1c3582ca89b36297cf797959b7763964a10
Tags
stealer parrot-security revengerat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e583adac8898dc310ba84f6feb3c1c3582ca89b36297cf797959b7763964a10

Threat Level: Known bad

The file 1f5ea06e1c469341653dbec2e519e573_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

stealer parrot-security revengerat

RevengeRat Executable

Revengerat family

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 19:30

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 19:30

Reported

2024-07-30 04:09

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.ngrok.io N/A N/A
N/A 2.tcp.ngrok.io N/A N/A
N/A 2.tcp.ngrok.io N/A N/A
N/A 2.tcp.ngrok.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 13.59.15.185:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 13.59.15.185:18683 2.tcp.ngrok.io tcp
US 13.59.15.185:18683 2.tcp.ngrok.io tcp
US 13.59.15.185:18683 2.tcp.ngrok.io tcp
US 13.59.15.185:18683 2.tcp.ngrok.io tcp
US 13.59.15.185:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 13.59.15.185:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 3.22.53.161:18683 2.tcp.ngrok.io tcp

Files

memory/940-0-0x00007FF913005000-0x00007FF913006000-memory.dmp

memory/940-2-0x000000001C240000-0x000000001C70E000-memory.dmp

memory/940-1-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp

memory/940-3-0x000000001BC30000-0x000000001BCD6000-memory.dmp

memory/940-4-0x000000001C780000-0x000000001C7E2000-memory.dmp

memory/940-5-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp

memory/940-6-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp

memory/940-7-0x00007FF913005000-0x00007FF913006000-memory.dmp

memory/940-8-0x00007FF912D50000-0x00007FF9136F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 19:30

Reported

2024-07-30 04:09

Platform

win7-20240705-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.ngrok.io N/A N/A
N/A 2.tcp.ngrok.io N/A N/A
N/A 2.tcp.ngrok.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f5ea06e1c469341653dbec2e519e573_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 2.tcp.ngrok.io tcp
US 3.138.45.170:18683 tcp

Files

memory/1660-0-0x000007FEF5FCE000-0x000007FEF5FCF000-memory.dmp

memory/1660-1-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

memory/1660-2-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

memory/1660-3-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp