Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 12:30
Behavioral task
behavioral1
Sample
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe
-
Size
97KB
-
MD5
be981e8c2a43e58bc1d2033366451055
-
SHA1
e238675da9ddd2dce9302c34eb3944c1b2724bd3
-
SHA256
257e4c94a89f643675ac749c47c9ab6aaf35a71f68fe27b8ad13068209966646
-
SHA512
e4f59a708d23123fe9b5ae6287fb2bef37cf1dd141c0aee986235238d420f3d3bf96b3cf6666c5671f2dfe0ae30bc632dc19e35653c3f93e7bfe4537bcb7eef8
-
SSDEEP
1536:j7uEipr5Jvov7UJlF2+aaaUHMdgHW94Az5OCxEdGC8KiJOaP8PwrVo:jqEXUJlF2+raEAcFdCxEdoVwYvS
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000e0000000233df-10.dat revengerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
TuxlerVPN.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TuxlerVPN.exe TuxlerVPN.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TuxlerVPN.exe TuxlerVPN.exe -
Executes dropped EXE 1 IoCs
Processes:
TuxlerVPN.exepid Process 4952 TuxlerVPN.exe -
Drops file in System32 directory 4 IoCs
Processes:
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exeTuxlerVPN.exedescription ioc Process File created C:\Windows\SysWOW64\TuxlerVPN.exe be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\TuxlerVPN.exe be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\TuxlerVPN.exe TuxlerVPN.exe File created C:\Windows\SysWOW64\TuxlerVPN.exe TuxlerVPN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exeTuxlerVPN.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TuxlerVPN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exeTuxlerVPN.exedescription pid Process Token: SeDebugPrivilege 1644 be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe Token: SeDebugPrivilege 4952 TuxlerVPN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exedescription pid Process procid_target PID 1644 wrote to memory of 4952 1644 be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe 98 PID 1644 wrote to memory of 4952 1644 be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe 98 PID 1644 wrote to memory of 4952 1644 be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be981e8c2a43e58bc1d2033366451055_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\TuxlerVPN.exe"C:\Windows\system32\TuxlerVPN.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5be981e8c2a43e58bc1d2033366451055
SHA1e238675da9ddd2dce9302c34eb3944c1b2724bd3
SHA256257e4c94a89f643675ac749c47c9ab6aaf35a71f68fe27b8ad13068209966646
SHA512e4f59a708d23123fe9b5ae6287fb2bef37cf1dd141c0aee986235238d420f3d3bf96b3cf6666c5671f2dfe0ae30bc632dc19e35653c3f93e7bfe4537bcb7eef8