Analysis

  • max time kernel
    127s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2024 08:06

General

  • Target

    7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe

  • Size

    55KB

  • MD5

    7bd4aa2c112ccffee7efbaa419fa5cc2

  • SHA1

    ca2b6c237c0c222303598e55343a703f6e077ab6

  • SHA256

    94848d51c7af3005826cc841f475691be91e267981258000bdbd6274ba83c3eb

  • SHA512

    36e660ca7a2ee3efaa834595f7f0dd55184d86089abd2cf8e1783906bdb6f921333b324f50a26e93a76c5370eadb86386a53b06d0f51e076d6862967b4d6ecab

  • SSDEEP

    768:8t9p8q06ET5JGpfLcm8FcLQTrIkh6iy8pP7HhHltThV/mrzYcCe:8tsvCpfLcm82LQ/B48J7ZThtmZ

Malware Config

Extracted

Family

revengerat

Botnet

V_1_d_4_L_0_k_4

C2

hax00r.duckdns.org:3333

Mutex

RV_MUTEX-DRRrJCqsBKTC

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • RevengeRat Executable 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xpzZJHOw.txt

    Filesize

    84B

    MD5

    53f9a1eb8530ad231a4d9088f640e027

    SHA1

    be9a9b4f0299bc04cafd0dc2c1bd9012faa3f1ec

    SHA256

    f3cd40f06cac3bc59f7d49e9b11c3eff69b806ddc0f6ac357c29c3ebb882c96f

    SHA512

    3115cfcadd6288a7f73a1c44883b607a2c152c07081585251527d8441c3a1b7e221c01e7a4830e3c0aebcb2bc115b5e6efb9bdb1c0d3ed96f4f840657edd9e19

  • memory/2388-1-0x0000000000180000-0x000000000018A000-memory.dmp

    Filesize

    40KB

  • memory/2388-2-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

  • memory/2388-3-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

  • memory/2388-4-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

  • memory/2388-0-0x000007FEF5AAE000-0x000007FEF5AAF000-memory.dmp

    Filesize

    4KB

  • memory/2388-23-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

  • memory/2724-42-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2724-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2724-33-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2724-37-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2724-29-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2724-40-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2724-27-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2872-10-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2872-22-0x0000000074671000-0x0000000074672000-memory.dmp

    Filesize

    4KB

  • memory/2872-25-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2872-24-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2872-26-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2872-8-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2872-12-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2872-14-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2872-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2872-17-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2872-19-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2872-21-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2872-6-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB