Overview

overview

10

Static

static

10

8ea92ddfe6...18.exe

windows7-x64

10

8ea92ddfe6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ea92ddfe617fedeec1c6b0bff838476_JaffaCakes118.exe

  • Size

    17KB

  • MD5

    8ea92ddfe617fedeec1c6b0bff838476

  • SHA1

    f83902750d88e3df6d98f1fc512719a566e1e4ba

  • SHA256

    a0cfcc96d6892c6416c98bd378714d5efc811d8f3dfbf97c1b84632a3db3d2f2

  • SHA512

    896ef9d7508c7d778af04016e422464d2cc9b2d29aa3d46195c9e206733e33ad4041f1cfec16862467b1086f20808b8e7a1d8cc42cb1106e55e69f451c48c2e1

  • SSDEEP

    384:K4REqxuNBvRPJnMy6EnFmDHojf36bysVVTyrUiysts4:K4Rdxd8KHojblUft4

Score
10/10
revengeratpersistencestealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ea92ddfe617fedeec1c6b0bff838476_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8ea92ddfe617fedeec1c6b0bff838476_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Roaming\Host.exe
      "C:\Users\Admin\AppData\Roaming\Host.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Host.exe
    Filesize

    17KB

    MD5

    8ea92ddfe617fedeec1c6b0bff838476

    SHA1

    f83902750d88e3df6d98f1fc512719a566e1e4ba

    SHA256

    a0cfcc96d6892c6416c98bd378714d5efc811d8f3dfbf97c1b84632a3db3d2f2

    SHA512

    896ef9d7508c7d778af04016e422464d2cc9b2d29aa3d46195c9e206733e33ad4041f1cfec16862467b1086f20808b8e7a1d8cc42cb1106e55e69f451c48c2e1

    Download Submit

  • memory/4032-20-0x00007FFA20D90000-0x00007FFA21731000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4032-19-0x00007FFA20D90000-0x00007FFA21731000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4032-18-0x00007FFA20D90000-0x00007FFA21731000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4924-6-0x00007FFA21045000-0x00007FFA21046000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4924-5-0x00007FFA20D90000-0x00007FFA21731000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4924-0-0x00007FFA21045000-0x00007FFA21046000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4924-7-0x00007FFA20D90000-0x00007FFA21731000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4924-4-0x000000001BE00000-0x000000001BE62000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4924-17-0x00007FFA20D90000-0x00007FFA21731000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4924-3-0x000000001BC90000-0x000000001BD36000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4924-2-0x000000001B7C0000-0x000000001BC8E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4924-1-0x00007FFA20D90000-0x00007FFA21731000-memory.dmp

    Filesize

    9.6MB

    Download