revengerat | 6fa664b3e6255c4f32e6142aa9c23d968e9b1ec58efab5ff1bb30601d08c77cc

General

Target

f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe
Size

177KB
MD5

f505850a106a302f7a4ae64686ed7137
SHA1

6f78c054be779ea4cbcd6100e9f4004dd1d65fed
SHA256

6fa664b3e6255c4f32e6142aa9c23d968e9b1ec58efab5ff1bb30601d08c77cc
SHA512

24c587db202660e8a8d571a3c8cf9667dc9af49046effaedf3318dbfbc91ed9db1d89b47bdd44197a8e4e155e6849b6688cdb89633daeb4d7a7d75bfa5c98bd0
SSDEEP

768:/JUkZ5upgG1i6tTBcdAHZk8ZwLYbDG96e9l:p5SU6vIuk8ZbyFl

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0004000000004ed7-10.dat	revengerat

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe	f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe	f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe	WindowsDefender.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	WindowsDefender.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsDefender.exe"	WindowsDefender.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2008	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe
Token: SeDebugPrivilege	2760	WindowsDefender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	WINWORD.EXE
2008	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2760	2132	f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2760	2132	f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2760	2132	f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2008	2760	WindowsDefender.exe	32
PID 2760 wrote to memory of 2008	2760	WindowsDefender.exe	32
PID 2760 wrote to memory of 2008	2760	WindowsDefender.exe	32
PID 2760 wrote to memory of 2008	2760	WindowsDefender.exe	32
PID 2008 wrote to memory of 1116	2008	WINWORD.EXE	35
PID 2008 wrote to memory of 1116	2008	WINWORD.EXE	35
PID 2008 wrote to memory of 1116	2008	WINWORD.EXE	35
PID 2008 wrote to memory of 1116	2008	WINWORD.EXE	35

C:\Users\Admin\AppData\Local\Temp\f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6546744.docx"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe

Filesize
177KB

MD5
f505850a106a302f7a4ae64686ed7137

SHA1
6f78c054be779ea4cbcd6100e9f4004dd1d65fed

SHA256
6fa664b3e6255c4f32e6142aa9c23d968e9b1ec58efab5ff1bb30601d08c77cc

SHA512
24c587db202660e8a8d571a3c8cf9667dc9af49046effaedf3318dbfbc91ed9db1d89b47bdd44197a8e4e155e6849b6688cdb89633daeb4d7a7d75bfa5c98bd0

Download Submit
memory/2008-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2132-3-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-0-0x000007FEF6A2E000-0x000007FEF6A2F000-memory.dmp

Filesize
4KB

Download
memory/2132-4-0x000007FEF6A2E000-0x000007FEF6A2F000-memory.dmp

Filesize
4KB

Download
memory/2132-5-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-2-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-14-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-1-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-15-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-13-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-16-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-17-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads