Overview

overview

10

Static

static

10

f505850a10...18.exe

windows7-x64

10

f505850a10...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe

  • Size

    177KB

  • MD5

    f505850a106a302f7a4ae64686ed7137

  • SHA1

    6f78c054be779ea4cbcd6100e9f4004dd1d65fed

  • SHA256

    6fa664b3e6255c4f32e6142aa9c23d968e9b1ec58efab5ff1bb30601d08c77cc

  • SHA512

    24c587db202660e8a8d571a3c8cf9667dc9af49046effaedf3318dbfbc91ed9db1d89b47bdd44197a8e4e155e6849b6688cdb89633daeb4d7a7d75bfa5c98bd0

  • SSDEEP

    768:/JUkZ5upgG1i6tTBcdAHZk8ZwLYbDG96e9l:p5SU6vIuk8ZbyFl

Score
10/10
revengeratpersistencestealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f505850a106a302f7a4ae64686ed7137_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6546744.docx" /o ""
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCD263E.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe
    Filesize

    177KB

    MD5

    f505850a106a302f7a4ae64686ed7137

    SHA1

    6f78c054be779ea4cbcd6100e9f4004dd1d65fed

    SHA256

    6fa664b3e6255c4f32e6142aa9c23d968e9b1ec58efab5ff1bb30601d08c77cc

    SHA512

    24c587db202660e8a8d571a3c8cf9667dc9af49046effaedf3318dbfbc91ed9db1d89b47bdd44197a8e4e155e6849b6688cdb89633daeb4d7a7d75bfa5c98bd0

    Download Submit

  • memory/1176-3-0x000000001C660000-0x000000001C706000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1176-4-0x000000001C7D0000-0x000000001C832000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1176-5-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1176-6-0x00007FFA7AF05000-0x00007FFA7AF06000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-7-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1176-8-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1176-0-0x00007FFA7AF05000-0x00007FFA7AF06000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-1-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1176-19-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1176-2-0x000000001C190000-0x000000001C65E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2736-26-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-23-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-25-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-24-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-27-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-28-0x00007FFA56650000-0x00007FFA56660000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-29-0x00007FFA56650000-0x00007FFA56660000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3184-22-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3184-21-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3184-20-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3184-18-0x00007FFA7AC50000-0x00007FFA7B5F1000-memory.dmp

    Filesize

    9.6MB

    Download