Analysis Overview
SHA256
d448dd127cdf0a2ebbf5d0eb75a6c575d35ad9063b90f5954ef5d8920167d01d
Threat Level: Known bad
The file 1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 10:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 10:34
Reported
2024-10-07 10:36
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 2520 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 2520 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 2520 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -23218 -netzwelt -2a17c53a94f8440d8b2db25fdfe912ef - - -sofcupnesoulerfx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| DE | 176.9.175.234:80 | bin.download-sponsor.de | tcp |
Files
\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
| MD5 | bf3d279766c65e104ac350f9341b7598 |
| SHA1 | a2c2496b99f467c8afdf1e55e2b546c6b03d878b |
| SHA256 | a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381 |
| SHA512 | d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa |
memory/2004-12-0x000007FEF641E000-0x000007FEF641F000-memory.dmp
memory/2004-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-14-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\sofcupnesoulerfx.dat
| MD5 | 0a3f15c0799a6131415052bca7a1240f |
| SHA1 | 55db59d7918eb56a8f0619c18abea844d8d1ac20 |
| SHA256 | b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59 |
| SHA512 | b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81 |
memory/2004-16-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-17-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-18-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-19-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-20-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-21-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-22-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-23-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-24-0x000007FEF641E000-0x000007FEF641F000-memory.dmp
memory/2004-25-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2004-26-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 10:34
Reported
2024-10-07 10:36
Platform
win10v2004-20240802-en
Max time kernel
92s
Max time network
146s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3456 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 3456 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -23218 -netzwelt -2a17c53a94f8440d8b2db25fdfe912ef - - -xnyggmgdobhtqaad
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| DE | 176.9.175.234:80 | bin.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | 237.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
| MD5 | bf3d279766c65e104ac350f9341b7598 |
| SHA1 | a2c2496b99f467c8afdf1e55e2b546c6b03d878b |
| SHA256 | a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381 |
| SHA512 | d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa |
memory/2864-8-0x00007FFE0C865000-0x00007FFE0C866000-memory.dmp
memory/2864-10-0x000000001C300000-0x000000001C7CE000-memory.dmp
memory/2864-9-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-11-0x000000001C7D0000-0x000000001C876000-memory.dmp
memory/2864-12-0x000000001C920000-0x000000001C9BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\xnyggmgdobhtqaad.dat
| MD5 | 0a3f15c0799a6131415052bca7a1240f |
| SHA1 | 55db59d7918eb56a8f0619c18abea844d8d1ac20 |
| SHA256 | b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59 |
| SHA512 | b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81 |
memory/2864-13-0x0000000001620000-0x0000000001628000-memory.dmp
memory/2864-15-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-16-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-17-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-18-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-19-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-20-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-21-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-22-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-23-0x00007FFE0C865000-0x00007FFE0C866000-memory.dmp
memory/2864-24-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp
memory/2864-26-0x00007FFE0C5B0000-0x00007FFE0CF51000-memory.dmp