Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-10-2024 14:21
General
-
Target
0b18382d5ac0f30d8773acb6d5671a74_JaffaCakes118.exe
-
Size
728KB
-
MD5
0b18382d5ac0f30d8773acb6d5671a74
-
SHA1
f4ccfc6cc940aeb2a30489458f781a6c5d78fdd8
-
SHA256
af813a303e700b27c7ba44acc90ec98b650c9a0bc0d471fd337f5271c81a7458
-
SHA512
e089a7b956b692f02dbebfde28a90e2cc8ca6d6743d7587d3b21a556dfc816bd0e40215e180a026dd02ec76a7945b1f70cc4d6f6743f66bf247a52207dea73fd
-
SSDEEP
12288:8lGRF0NXm4Vtjfx8G8PpJLj8KbqOQjg3uxf9LbNgoGwWbvh8ByS9NULj7OT6G:8oRF0c43r78PbLYKKg3uxfZNgjvVWmL4
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
ownage12
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
-
ACProtect 1.3x - 1.4x DLL software 7 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b18382d5ac0f30d8773acb6d5671a74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b18382d5ac0f30d8773acb6d5671a74_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /C cd C:\Users\Admin\AppData\Roaming\Microsoft2⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd /C C:\Users\Admin\AppData\Roaming\Microsoft\FirePassword.exe >C:\Users\Admin\AppData\Roaming\Microsoft\Error.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\FirePassword.exeC:\Users\Admin\AppData\Roaming\Microsoft\FirePassword.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
283B
MD51d870fe37141ae58bc38bc6794374781
SHA18b20b3096f36fe4d343fc770c5f29a7983760d48
SHA256c51d09b0f2fe56f42ea2a852e6de4d8a45e5dbaa610c4caabb30c9c0ec3f8360
SHA512575b36d30e80c75fe3bb97ba057260f283286f88f5e6b008b806402acf6d94d081ddae3414c531522d2bca51327732f83596fbaf1550d827574a8b4496b03e79
-
Filesize
200KB
MD5dab03dc446a8d2b809ce7aade0fab8b4
SHA13c6c19c9c6612653aab2cce45a6507547142fab1
SHA2562c19dd25af9acc7ae31881c28108acb64a6b544622b97aebb0e55af783402e00
SHA51252ae8830e522b5314820edaca9cddc2cddb2e477874a7207bc4f65a8d22d94a3d5909000c113cb417db3d6c00e8f86306a518ff168f815e9029959977b833dc4
-
Filesize
72KB
MD572414dfb0b112c664d2c8d1215674e09
SHA150a1e61309741e92fe3931d8eb606f8ada582c0a
SHA25669e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71
SHA51241428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9
-
Filesize
172KB
MD57ddbd64d87c94fd0b5914688093dd5c2
SHA1d49d1f79efae8a5f58e6f713e43360117589efeb
SHA256769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1
SHA51260eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d
-
Filesize
8KB
MD5c73ec58b42e66443fafc03f3a84dcef9
SHA15e91f467fe853da2c437f887162bccc6fd9d9dbe
SHA2562dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7
SHA5126318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf
-
Filesize
6KB
MD5ee44d5d780521816c906568a8798ed2f
SHA12da1b06d5de378cbfc7f2614a0f280f59f2b1224
SHA25650b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc
SHA512634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8
-
Filesize
155KB
MD5e846285b19405b11c8f19c1ed0a57292
SHA12c20cf37394be48770cd6d396878a3ca70066fd0
SHA256251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477
SHA512b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
304KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
392KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
100KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
9.6MB
-
Filesize
776KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
80KB
-
Filesize
664KB
-
Filesize
180KB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
380KB
-
Filesize
428KB
-
Filesize
380KB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
180KB
-
Filesize
412KB
-
Filesize
428KB