Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe
-
Size
55KB
-
MD5
7bd4aa2c112ccffee7efbaa419fa5cc2
-
SHA1
ca2b6c237c0c222303598e55343a703f6e077ab6
-
SHA256
94848d51c7af3005826cc841f475691be91e267981258000bdbd6274ba83c3eb
-
SHA512
36e660ca7a2ee3efaa834595f7f0dd55184d86089abd2cf8e1783906bdb6f921333b324f50a26e93a76c5370eadb86386a53b06d0f51e076d6862967b4d6ecab
-
SSDEEP
768:8t9p8q06ET5JGpfLcm8FcLQTrIkh6iy8pP7HhHltThV/mrzYcCe:8tsvCpfLcm82LQ/B48J7ZThtmZ
Malware Config
Extracted
revengerat
V_1_d_4_L_0_k_4
hax00r.duckdns.org:3333
RV_MUTEX-DRRrJCqsBKTC
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/524-4-0x000000001B990000-0x000000001B99A000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook.URL MSBuild.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exeMSBuild.exedescription pid process target process PID 524 set thread context of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 2640 set thread context of 2628 2640 MSBuild.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MSBuild.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe Token: SeDebugPrivilege 2640 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exeMSBuild.exedescription pid process target process PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 524 wrote to memory of 2640 524 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe PID 2640 wrote to memory of 2628 2640 MSBuild.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD553f9a1eb8530ad231a4d9088f640e027
SHA1be9a9b4f0299bc04cafd0dc2c1bd9012faa3f1ec
SHA256f3cd40f06cac3bc59f7d49e9b11c3eff69b806ddc0f6ac357c29c3ebb882c96f
SHA5123115cfcadd6288a7f73a1c44883b607a2c152c07081585251527d8441c3a1b7e221c01e7a4830e3c0aebcb2bc115b5e6efb9bdb1c0d3ed96f4f840657edd9e19