Analysis Overview
SHA256
94848d51c7af3005826cc841f475691be91e267981258000bdbd6274ba83c3eb
Threat Level: Known bad
The file 7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Drops startup file
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 08:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 08:06
Reported
2024-07-31 08:08
Platform
win7-20240704-en
Max time kernel
127s
Max time network
137s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook.URL | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2388 set thread context of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 2872 set thread context of 2724 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hax00r.duckdns.org | udp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
| US | 8.8.8.8:53 | hax00r.duckdns.org | udp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
Files
memory/2388-0-0x000007FEF5AAE000-0x000007FEF5AAF000-memory.dmp
memory/2388-1-0x0000000000180000-0x000000000018A000-memory.dmp
memory/2388-2-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2388-3-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2388-4-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2872-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-21-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-19-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-17-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2872-14-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-12-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-10-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-8-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2872-22-0x0000000074671000-0x0000000074672000-memory.dmp
memory/2388-23-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2872-25-0x0000000074670000-0x0000000074C1B000-memory.dmp
memory/2872-24-0x0000000074670000-0x0000000074C1B000-memory.dmp
memory/2872-26-0x0000000074670000-0x0000000074C1B000-memory.dmp
memory/2724-27-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xpzZJHOw.txt
| MD5 | 53f9a1eb8530ad231a4d9088f640e027 |
| SHA1 | be9a9b4f0299bc04cafd0dc2c1bd9012faa3f1ec |
| SHA256 | f3cd40f06cac3bc59f7d49e9b11c3eff69b806ddc0f6ac357c29c3ebb882c96f |
| SHA512 | 3115cfcadd6288a7f73a1c44883b607a2c152c07081585251527d8441c3a1b7e221c01e7a4830e3c0aebcb2bc115b5e6efb9bdb1c0d3ed96f4f840657edd9e19 |
memory/2724-37-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2724-33-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2724-31-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2724-29-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2724-42-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2724-40-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 08:06
Reported
2024-07-31 08:08
Platform
win10v2004-20240730-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook.URL | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 524 set thread context of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 2640 set thread context of 2628 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7bd4aa2c112ccffee7efbaa419fa5cc2_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hax00r.duckdns.org | udp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
| US | 8.8.8.8:53 | hax00r.duckdns.org | udp |
| BR | 35.199.109.211:3333 | hax00r.duckdns.org | tcp |
Files
memory/524-0-0x00007FF89D585000-0x00007FF89D586000-memory.dmp
memory/524-1-0x000000001B8E0000-0x000000001B986000-memory.dmp
memory/524-2-0x00007FF89D2D0000-0x00007FF89DC71000-memory.dmp
memory/524-3-0x00007FF89D2D0000-0x00007FF89DC71000-memory.dmp
memory/524-4-0x000000001B990000-0x000000001B99A000-memory.dmp
memory/524-5-0x000000001BF90000-0x000000001C45E000-memory.dmp
memory/524-6-0x000000001C4D0000-0x000000001C532000-memory.dmp
memory/524-7-0x00007FF89D2D0000-0x00007FF89DC71000-memory.dmp
memory/524-8-0x00007FF89D585000-0x00007FF89D586000-memory.dmp
memory/2640-10-0x0000000000400000-0x0000000000416000-memory.dmp
memory/524-11-0x00007FF89D2D0000-0x00007FF89DC71000-memory.dmp
memory/2640-12-0x00000000755C2000-0x00000000755C3000-memory.dmp
memory/2640-13-0x00000000755C0000-0x0000000075B71000-memory.dmp
memory/2640-14-0x00000000755C0000-0x0000000075B71000-memory.dmp
memory/2640-15-0x00000000755C2000-0x00000000755C3000-memory.dmp
memory/2640-16-0x00000000755C0000-0x0000000075B71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xpzZJHOw.txt
| MD5 | 53f9a1eb8530ad231a4d9088f640e027 |
| SHA1 | be9a9b4f0299bc04cafd0dc2c1bd9012faa3f1ec |
| SHA256 | f3cd40f06cac3bc59f7d49e9b11c3eff69b806ddc0f6ac357c29c3ebb882c96f |
| SHA512 | 3115cfcadd6288a7f73a1c44883b607a2c152c07081585251527d8441c3a1b7e221c01e7a4830e3c0aebcb2bc115b5e6efb9bdb1c0d3ed96f4f840657edd9e19 |
memory/2628-17-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2628-19-0x00000000755C0000-0x0000000075B71000-memory.dmp
memory/2628-20-0x00000000755C0000-0x0000000075B71000-memory.dmp
memory/2628-22-0x00000000755C0000-0x0000000075B71000-memory.dmp
memory/2628-23-0x00000000755C0000-0x0000000075B71000-memory.dmp