revengerat | 1e5d173cffbdd36f13fcebb3e8be1648606e50196e8b4358fb8635fce8cd9dda

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe
Size

268KB
MD5

403b7e75b683a9e62b194aa319b6a89d
SHA1

46ee35eb4792314d30cf554648c07f8f14683819
SHA256

1e5d173cffbdd36f13fcebb3e8be1648606e50196e8b4358fb8635fce8cd9dda
SHA512

92314a47ae40731775abb8c899a931cd6f38c8c0150fcc6fc0fc0d3dd5b103313c2a565b3667027e0b61c097595fee85bea309e333512a3241611c22a9819e16
SSDEEP

3072:yW7rphkqhtviNz4C6xV3mGnO927SEMWAD+QNNoJ82uzt4:/piG8bs76D+D2i

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000015d19-15.dat	revengerat

Executes dropped EXE 2 IoCs

pid	Process
2500	ICEY1.exe
2504	ICEY2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICEY1.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2500	1836	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2500	1836	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2500	1836	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2500	1836	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2504	1836	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	31
PID 1836 wrote to memory of 2504	1836	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	31
PID 1836 wrote to memory of 2504	1836	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	ICEY2.exe	32
PID 2504 wrote to memory of 2344	2504	ICEY2.exe	32
PID 2504 wrote to memory of 2344	2504	ICEY2.exe	32

C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\ICEY1.exe
  "C:\Users\Admin\AppData\Local\Temp\ICEY1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\ICEY2.exe
  "C:\Users\Admin\AppData\Local\Temp\ICEY2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 616
    3⤵
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ICEY1.exe

Filesize
60KB

MD5
d30f3c599e5c9a9213bf004ed1572045

SHA1
37ca6c5e9becbaa39443419b6bfff15c4a9985eb

SHA256
35eb1edc8986931f0e2ce98f0c8428adb49e89cab3f3acf9a307619744e97113

SHA512
3d59ff4f04e16bb2dbc2213ec8235de56256f802c44c2668e761446fc9f6254da899ad064ff87d64905a51b2875cd67328f047fcbfe14d19676285e2ea746ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICEY2.exe

Filesize
192KB

MD5
7c0c00288fdbf932380027ec426b7024

SHA1
dc0d19795d4d1169c72343d37071c9ecf2a7f710

SHA256
f21584df80ee11cca8ad36f2108ce50900141dabc59a05cde0fc4cd868389104

SHA512
b9792915ce0adef9b8efed8bde71eafaec57ecf2b1c6ef65fd323274d18dc132da76cbe05f05d067a5ecefbef7dd870d5a93b823b71d643ffa041c64e48b311e

Download Submit
memory/1836-0-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/1836-1-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1836-2-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1836-5-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1836-17-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-16-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-18-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-19-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download