Analysis Overview
SHA256
038391b2020f10bc643e322fd0f668af217f5415c1f030454080bf34fcae538f
Threat Level: Known bad
The file 5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 19:40
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 19:40
Reported
2024-07-29 21:39
Platform
win7-20240704-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:19356 | 0.tcp.ngrok.io | tcp |
Files
memory/1924-0-0x000007FEF453E000-0x000007FEF453F000-memory.dmp
memory/1924-1-0x000007FEF4280000-0x000007FEF4C1D000-memory.dmp
memory/1924-2-0x000007FEF4280000-0x000007FEF4C1D000-memory.dmp
memory/1924-3-0x000007FEF453E000-0x000007FEF453F000-memory.dmp
memory/1924-4-0x000007FEF4280000-0x000007FEF4C1D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 19:40
Reported
2024-07-29 21:42
Platform
win10v2004-20240729-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.22.30.40:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.14.182.203:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.13.191.225:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:19356 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
| US | 3.134.125.175:19356 | 0.tcp.ngrok.io | tcp |
Files
memory/4540-0-0x00007FF928E55000-0x00007FF928E56000-memory.dmp
memory/4540-1-0x000000001C320000-0x000000001C7EE000-memory.dmp
memory/4540-2-0x00007FF928BA0000-0x00007FF929541000-memory.dmp
memory/4540-3-0x000000001BD10000-0x000000001BDB6000-memory.dmp
memory/4540-4-0x000000001C860000-0x000000001C8C2000-memory.dmp
memory/4540-5-0x00007FF928BA0000-0x00007FF929541000-memory.dmp
memory/4540-6-0x00007FF928E55000-0x00007FF928E56000-memory.dmp
memory/4540-7-0x00007FF928BA0000-0x00007FF929541000-memory.dmp