General

  • Target

    fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118

  • Size

    108KB

  • Sample

    240928-j135qavgmm

  • MD5

    fbdca5d8d0459e4f2c0a1a6f9870a000

  • SHA1

    65ccc01b26739706066f7c5d8b52ef67e4830f89

  • SHA256

    02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0

  • SHA512

    0ab28167405d40634a6353f7ade8dc7a3ddf57920ac211568a8b44c75be5be108f4f8e6c15d512367542e3057f6bc690c65c1d67d38a073a46e8941e7c1cdf1d

  • SSDEEP

    1536:Wn/RHEQG+JGI0pz0y5W78MmEMmaZiTVRV37jBqaG6D3tSYvGxdHI+:2KV+JGI0pz0yamEMmaZO9j39SYv7+

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

pmoses13-47804.portmap.io:47804

Mutex

RV_MUTEX

Targets

    • Target

      fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118

    • Size

      108KB

    • MD5

      fbdca5d8d0459e4f2c0a1a6f9870a000

    • SHA1

      65ccc01b26739706066f7c5d8b52ef67e4830f89

    • SHA256

      02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0

    • SHA512

      0ab28167405d40634a6353f7ade8dc7a3ddf57920ac211568a8b44c75be5be108f4f8e6c15d512367542e3057f6bc690c65c1d67d38a073a46e8941e7c1cdf1d

    • SSDEEP

      1536:Wn/RHEQG+JGI0pz0y5W78MmEMmaZiTVRV37jBqaG6D3tSYvGxdHI+:2KV+JGI0pz0yamEMmaZO9j39SYv7+

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • RevengeRat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks