Malware Analysis Report

2024-10-19 08:44

Sample ID 240729-ydv8xs1flb
Target 5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118
SHA256 038391b2020f10bc643e322fd0f668af217f5415c1f030454080bf34fcae538f
Tags
stealer parrot-security revengerat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

038391b2020f10bc643e322fd0f668af217f5415c1f030454080bf34fcae538f

Threat Level: Known bad

The file 5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

stealer parrot-security revengerat

RevengeRat Executable

Revengerat family

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 19:40

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 19:40

Reported

2024-07-29 21:39

Platform

win7-20240704-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp
US 3.134.39.220:19356 0.tcp.ngrok.io tcp

Files

memory/1924-0-0x000007FEF453E000-0x000007FEF453F000-memory.dmp

memory/1924-1-0x000007FEF4280000-0x000007FEF4C1D000-memory.dmp

memory/1924-2-0x000007FEF4280000-0x000007FEF4C1D000-memory.dmp

memory/1924-3-0x000007FEF453E000-0x000007FEF453F000-memory.dmp

memory/1924-4-0x000007FEF4280000-0x000007FEF4C1D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 19:40

Reported

2024-07-29 21:42

Platform

win10v2004-20240729-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5bcbe8f7299bcd8e63f34def74b24b72_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 3.22.30.40:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 3.14.182.203:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.13.191.225:19356 0.tcp.ngrok.io tcp
US 3.13.191.225:19356 0.tcp.ngrok.io tcp
US 3.13.191.225:19356 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp
US 3.134.125.175:19356 0.tcp.ngrok.io tcp

Files

memory/4540-0-0x00007FF928E55000-0x00007FF928E56000-memory.dmp

memory/4540-1-0x000000001C320000-0x000000001C7EE000-memory.dmp

memory/4540-2-0x00007FF928BA0000-0x00007FF929541000-memory.dmp

memory/4540-3-0x000000001BD10000-0x000000001BDB6000-memory.dmp

memory/4540-4-0x000000001C860000-0x000000001C8C2000-memory.dmp

memory/4540-5-0x00007FF928BA0000-0x00007FF929541000-memory.dmp

memory/4540-6-0x00007FF928E55000-0x00007FF928E56000-memory.dmp

memory/4540-7-0x00007FF928BA0000-0x00007FF929541000-memory.dmp