Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 06:34

General

  • Target

    c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    c85e9223f39a45884260c78b0b5d45fa

  • SHA1

    e9b9a1d025a31a82041ab39591a02a76ced55af4

  • SHA256

    2d0d5e5d693fc60c43558582dad0e4e3970e8ea48dd4cc617e6e970632d642d3

  • SHA512

    46055f813d8361aa8897bd1fb6b9cb173332e57ed8c54e7c9c3748d3b301239e4b446eb6b437ccea9084815a4efecef007b3fec002a567d16b826ee1ef0b19e3

  • SSDEEP

    24576:Oq5TfcdHj4fmbpD2q1+Vf3oVGUG5y6zl8O3uXWVpA4yozB1B:OUTsamRxMf3oVGUGfuXYAQ

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • RevengeRat Executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
      "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54380618 -chipderedesign -65b146a0aaae42a8a69ceefd61980137 - -BLUB2 -myqwfhtagdeodggz -1288
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DMR\myqwfhtagdeodggz.dat

    Filesize

    163B

    MD5

    f187552845413a7e2d8e2013e98607ae

    SHA1

    bc8682cdb939348ad148f98ebf583083d6efe470

    SHA256

    de497f268483d31f3211366087cfa44645364b897b6747c67a953028727c1b9b

    SHA512

    9a5c612b484ec707fad1f3822984b8f0eeeb8330d5f89e5fbd6c6c02e9afee826d44b2afb290a9498c04535b5cc5ec3fef65bac6f06344e401e2a8e954386605

  • \Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

    Filesize

    448KB

    MD5

    b4a0146baa90f5492ab02e870e85c409

    SHA1

    7b0ea47c654d906ae28fcb182eeb5a8c3bef4978

    SHA256

    d6587abcdb9ef01d5b6106566648a2a22fa900d1af7adb5f9fa0db831a01ee5a

    SHA512

    0fadeb7c52088cb7cafc0a1300ffb41ab18dfcfd50a17bfac07d8581964835af89b72188162f2c080b2da9ca9f0dd83733632b857fa6d6b388bee12be697bee2

  • memory/1288-0-0x0000000001390000-0x0000000001652000-memory.dmp

    Filesize

    2.8MB

  • memory/1288-24-0x0000000001390000-0x0000000001652000-memory.dmp

    Filesize

    2.8MB

  • memory/2000-16-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

    Filesize

    4KB

  • memory/2000-17-0x00000000013C0000-0x0000000001434000-memory.dmp

    Filesize

    464KB

  • memory/2000-19-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

    Filesize

    9.9MB

  • memory/2000-20-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

    Filesize

    9.9MB

  • memory/2000-21-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

    Filesize

    9.9MB

  • memory/2000-22-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

    Filesize

    9.9MB

  • memory/2000-23-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

    Filesize

    9.9MB

  • memory/2000-25-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

    Filesize

    9.9MB