Malware Analysis Report

2025-01-18 04:54

Sample ID 241007-ml4z9avajd
Target 1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118
SHA256 d448dd127cdf0a2ebbf5d0eb75a6c575d35ad9063b90f5954ef5d8920167d01d
Tags
revengerat discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d448dd127cdf0a2ebbf5d0eb75a6c575d35ad9063b90f5954ef5d8920167d01d

Threat Level: Known bad

The file 1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

revengerat discovery stealer trojan

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 10:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 10:34

Reported

2024-10-07 10:36

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -23218 -netzwelt -2a17c53a94f8440d8b2db25fdfe912ef - - -sofcupnesoulerfx

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.download-sponsor.de udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:80 bin.download-sponsor.de tcp

Files

\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

MD5 bf3d279766c65e104ac350f9341b7598
SHA1 a2c2496b99f467c8afdf1e55e2b546c6b03d878b
SHA256 a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381
SHA512 d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa

memory/2004-12-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

memory/2004-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-14-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\sofcupnesoulerfx.dat

MD5 0a3f15c0799a6131415052bca7a1240f
SHA1 55db59d7918eb56a8f0619c18abea844d8d1ac20
SHA256 b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59
SHA512 b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81

memory/2004-16-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-17-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-18-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-19-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-20-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-21-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-22-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-23-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-24-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

memory/2004-25-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2004-26-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 10:34

Reported

2024-10-07 10:36

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -23218 -netzwelt -2a17c53a94f8440d8b2db25fdfe912ef - - -xnyggmgdobhtqaad

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.download-sponsor.de udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:80 bin.download-sponsor.de tcp
US 8.8.8.8:53 237.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 234.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

MD5 bf3d279766c65e104ac350f9341b7598
SHA1 a2c2496b99f467c8afdf1e55e2b546c6b03d878b
SHA256 a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381
SHA512 d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa

memory/2864-8-0x00007FFE0C865000-0x00007FFE0C866000-memory.dmp

memory/2864-10-0x000000001C300000-0x000000001C7CE000-memory.dmp

memory/2864-9-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-11-0x000000001C7D0000-0x000000001C876000-memory.dmp

memory/2864-12-0x000000001C920000-0x000000001C9BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\xnyggmgdobhtqaad.dat

MD5 0a3f15c0799a6131415052bca7a1240f
SHA1 55db59d7918eb56a8f0619c18abea844d8d1ac20
SHA256 b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59
SHA512 b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81

memory/2864-13-0x0000000001620000-0x0000000001628000-memory.dmp

memory/2864-15-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-16-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-17-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-18-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-19-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-20-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-21-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-22-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-23-0x00007FFE0C865000-0x00007FFE0C866000-memory.dmp

memory/2864-24-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp

memory/2864-26-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp