Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 06:34
Behavioral task
behavioral1
Sample
c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
c85e9223f39a45884260c78b0b5d45fa
-
SHA1
e9b9a1d025a31a82041ab39591a02a76ced55af4
-
SHA256
2d0d5e5d693fc60c43558582dad0e4e3970e8ea48dd4cc617e6e970632d642d3
-
SHA512
46055f813d8361aa8897bd1fb6b9cb173332e57ed8c54e7c9c3748d3b301239e4b446eb6b437ccea9084815a4efecef007b3fec002a567d16b826ee1ef0b19e3
-
SSDEEP
24576:Oq5TfcdHj4fmbpD2q1+Vf3oVGUG5y6zl8O3uXWVpA4yozB1B:OUTsamRxMf3oVGUGfuXYAQ
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016d67-4.dat revengerat -
Executes dropped EXE 1 IoCs
pid Process 2000 dmr_72.exe -
Loads dropped DLL 4 IoCs
pid Process 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1288-0-0x0000000001390000-0x0000000001652000-memory.dmp upx behavioral1/memory/1288-24-0x0000000001390000-0x0000000001652000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1288-24-0x0000000001390000-0x0000000001652000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 2000 dmr_72.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2000 dmr_72.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2000 dmr_72.exe 2000 dmr_72.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2000 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 30 PID 1288 wrote to memory of 2000 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 30 PID 1288 wrote to memory of 2000 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 30 PID 1288 wrote to memory of 2000 1288 c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c85e9223f39a45884260c78b0b5d45fa_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54380618 -chipderedesign -65b146a0aaae42a8a69ceefd61980137 - -BLUB2 -myqwfhtagdeodggz -12882⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163B
MD5f187552845413a7e2d8e2013e98607ae
SHA1bc8682cdb939348ad148f98ebf583083d6efe470
SHA256de497f268483d31f3211366087cfa44645364b897b6747c67a953028727c1b9b
SHA5129a5c612b484ec707fad1f3822984b8f0eeeb8330d5f89e5fbd6c6c02e9afee826d44b2afb290a9498c04535b5cc5ec3fef65bac6f06344e401e2a8e954386605
-
Filesize
448KB
MD5b4a0146baa90f5492ab02e870e85c409
SHA17b0ea47c654d906ae28fcb182eeb5a8c3bef4978
SHA256d6587abcdb9ef01d5b6106566648a2a22fa900d1af7adb5f9fa0db831a01ee5a
SHA5120fadeb7c52088cb7cafc0a1300ffb41ab18dfcfd50a17bfac07d8581964835af89b72188162f2c080b2da9ca9f0dd83733632b857fa6d6b388bee12be697bee2