Malware Analysis Report

2024-10-19 08:43

Sample ID 240729-l4yqhssdnn
Target 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118
SHA256 a62eac7125d6a8e953325e4408f6f6ab187c808f9bfc0334e4d8723fae97c021
Tags
stealer builder revengerat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a62eac7125d6a8e953325e4408f6f6ab187c808f9bfc0334e4d8723fae97c021

Threat Level: Known bad

The file 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

stealer builder revengerat persistence

RevengeRat Executable

Revengerat family

Drops startup file

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 10:05

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 10:05

Reported

2024-07-29 10:13

Platform

win7-20240704-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\codec.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schost.js C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\mscode = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\klmejjjw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB0E.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hotkey.ddns.net udp

Files

memory/2220-0-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

memory/2220-1-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2220-2-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2220-3-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

memory/2220-4-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\klmejjjw.cmdline

MD5 9a9839e2c3f7901e7e92fa624407876c
SHA1 e1a472fc9cac1d53838a4ee3c10ae582ed2da7ad
SHA256 9c9492bc2b381bc70d3d79a491f872e5bf14195104283bb888c15ec6f34decaa
SHA512 f122b63959870d80bb0511f05ebc74e7d281699c0a629c149a29bf238bca75e1ab33b38c47d39cc83925be12115d9e836610b8d5f28a214cc9a6406c7abdf54d

C:\Users\Admin\AppData\Local\Temp\klmejjjw.0.vb

MD5 c9affc499509d8a9c1b93e9590e55d7f
SHA1 832ddeefbe416bb4bb5349e3d44d660cf69614c6
SHA256 4e4d855ef36455df9965a719b2ecaf3e5f1fc3fb614eba6c377e4b3696106249
SHA512 fdb98921f4001e56d46dd17975fa41e76e6f2028d509cd38266e5889279690ab04d0548547ab26629bfba3855b0e6817650abac5e6f086a464ed56bfb3b4f16c

memory/2616-11-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcAB0E.tmp

MD5 4ae835497e2f7ceaf82995a952ab9488
SHA1 4800591a27a535f287c294cb30e79f951ffa6e93
SHA256 f2811dc74cc9db37a8327e8cf3b9b87c86a1628446178c6fd53476c9293a8ca5
SHA512 e292c23402150a0031fb01997ed8e7cf3871957906360fad7f6fbdc2f9695791020fab8ce066436aa96c17811a84174ce5b7206e16a98f8b3ddebe4ff217e19c

C:\Users\Admin\AppData\Local\Temp\RESAB2E.tmp

MD5 f06540e09c627fb6248bc61aff1f4d8f
SHA1 f1ce6b593b4b92d11503dd9adbed96c616debae0
SHA256 ee024b390b4749d66b7e0bbb2af944364697143e1e7aa40fff986452c390c8a2
SHA512 78b892aa615c5df21f73ef680a251473eafbae59040a919bf12894f174234ce0bd0df51c313025930555a6844de9a131528c5e81be514add848a52b073b26f80

memory/2616-19-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 10:05

Reported

2024-07-29 10:14

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schost.js C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\codec.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscode = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rtuvsozl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E4265398D874D07AA988925F8C33978.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp
US 8.8.8.8:53 hotkey.ddns.net udp

Files

memory/4776-0-0x00007FFDA39F5000-0x00007FFDA39F6000-memory.dmp

memory/4776-1-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

memory/4776-2-0x000000001BFE0000-0x000000001C4AE000-memory.dmp

memory/4776-3-0x000000001C4B0000-0x000000001C556000-memory.dmp

memory/4776-4-0x000000001C5D0000-0x000000001C632000-memory.dmp

memory/4776-5-0x00007FFDA39F5000-0x00007FFDA39F6000-memory.dmp

memory/4776-6-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

memory/4776-7-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rtuvsozl.cmdline

MD5 8ba4081d3249e55a443a936663b5791f
SHA1 d1727b9a39cfd39532a4f9e9c337665085bd4532
SHA256 932aec4c58075b180bf41b9261576c838c6021b7fe806c57a70d8290f33f5e1d
SHA512 c974d836b88b3134c691c303a5c3eca7ac5151cef7f63604ad2dffe469e17ed0078ae4bff7ff67578965dd9fb5239430cb757a472690a2a7ad5279e70328c751

C:\Users\Admin\AppData\Local\Temp\rtuvsozl.0.vb

MD5 c9affc499509d8a9c1b93e9590e55d7f
SHA1 832ddeefbe416bb4bb5349e3d44d660cf69614c6
SHA256 4e4d855ef36455df9965a719b2ecaf3e5f1fc3fb614eba6c377e4b3696106249
SHA512 fdb98921f4001e56d46dd17975fa41e76e6f2028d509cd38266e5889279690ab04d0548547ab26629bfba3855b0e6817650abac5e6f086a464ed56bfb3b4f16c

memory/2968-14-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc7E4265398D874D07AA988925F8C33978.TMP

MD5 4ae835497e2f7ceaf82995a952ab9488
SHA1 4800591a27a535f287c294cb30e79f951ffa6e93
SHA256 f2811dc74cc9db37a8327e8cf3b9b87c86a1628446178c6fd53476c9293a8ca5
SHA512 e292c23402150a0031fb01997ed8e7cf3871957906360fad7f6fbdc2f9695791020fab8ce066436aa96c17811a84174ce5b7206e16a98f8b3ddebe4ff217e19c

C:\Users\Admin\AppData\Local\Temp\RES96EC.tmp

MD5 7fffb4c41bedfa37e1f4c8fa297ca107
SHA1 374173ea82cdffa4deb9882bce96eb7db50eed91
SHA256 e0f56e9f15f8c1844dd40ed911732fb893142a39aad98261305f9b133c7c2b35
SHA512 e7be71e867e636f85ee7f8575b20e6c0b9b0a52a77fba51f596278e12667c9a5696a3ba64367e538995078f9758edc97e7d5f93d08dc437fadd59fca25c5bb1d

memory/2968-22-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp