revengerat | 20928297fd7d266b72c08c0b886fc5900a0b1efca0629814d90f62aeabc62b8b

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe
Size

63KB
MD5

ea6c29e25140c51632d8b25f4b2aa5e5
SHA1

1d85cac90a7a3d8f09135724b3f2c8a6ac2cce45
SHA256

20928297fd7d266b72c08c0b886fc5900a0b1efca0629814d90f62aeabc62b8b
SHA512

8d916cb0e942c49091958f1a9cc67b2ee4d4bf18c281f152182fc4782d2dde1238ed67122dd9c0e950971e0e4de5c0378c795ead3fbfb8eecb4c21dcfd423f42
SSDEEP

768:leJKUdD0+o74/lZJFAzTArPfVvVlD40FIxP6PusbQjZ4+64cE5AI:leAUR0EZ7iTEdvVyPhIQjZJmj

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

127.0.0.1:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3660-3-0x0000000000D10000-0x0000000000D18000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

System64.exe

pid	Process
4076	System64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exeSystem64.exe

description	pid	Process
Token: SeDebugPrivilege	3660	ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe
Token: SeDebugPrivilege	4076	System64.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3660 wrote to memory of 4076	3660	ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe	91
PID 3660 wrote to memory of 4076	3660	ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea6c29e25140c51632d8b25f4b2aa5e5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\System64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\System64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\System64.exe

Filesize
63KB

MD5
ea6c29e25140c51632d8b25f4b2aa5e5

SHA1
1d85cac90a7a3d8f09135724b3f2c8a6ac2cce45

SHA256
20928297fd7d266b72c08c0b886fc5900a0b1efca0629814d90f62aeabc62b8b

SHA512
8d916cb0e942c49091958f1a9cc67b2ee4d4bf18c281f152182fc4782d2dde1238ed67122dd9c0e950971e0e4de5c0378c795ead3fbfb8eecb4c21dcfd423f42

Download Submit
memory/3660-6-0x00007FF86E120000-0x00007FF86EBE1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-2-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/3660-3-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/3660-4-0x00007FF86E120000-0x00007FF86EBE1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-5-0x00007FF86E123000-0x00007FF86E125000-memory.dmp

Filesize
8KB

Download
memory/3660-0-0x00007FF86E123000-0x00007FF86E125000-memory.dmp

Filesize
8KB

Download
memory/3660-1-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/3660-20-0x00007FF86E120000-0x00007FF86EBE1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-19-0x00007FF86E120000-0x00007FF86EBE1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-21-0x00007FF86E120000-0x00007FF86EBE1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-22-0x00007FF86E120000-0x00007FF86EBE1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-23-0x00007FF86E120000-0x00007FF86EBE1000-memory.dmp

Filesize
10.8MB

Download