revengerat | 1e5d173cffbdd36f13fcebb3e8be1648606e50196e8b4358fb8635fce8cd9dda

General

Target

403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe
Size

268KB
MD5

403b7e75b683a9e62b194aa319b6a89d
SHA1

46ee35eb4792314d30cf554648c07f8f14683819
SHA256

1e5d173cffbdd36f13fcebb3e8be1648606e50196e8b4358fb8635fce8cd9dda
SHA512

92314a47ae40731775abb8c899a931cd6f38c8c0150fcc6fc0fc0d3dd5b103313c2a565b3667027e0b61c097595fee85bea309e333512a3241611c22a9819e16
SSDEEP

3072:yW7rphkqhtviNz4C6xV3mGnO927SEMWAD+QNNoJ82uzt4:/piG8bs76D+D2i

Score

10^/10

revengerat discovery spyware stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0009000000023c7c-19.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICEY2.exe	ICEY2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICEY2.exe	ICEY2.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	ICEY1.exe
4792	ICEY2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICEY1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4792	ICEY2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	ICEY2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4792	ICEY2.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2012	824	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	86
PID 824 wrote to memory of 2012	824	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	86
PID 824 wrote to memory of 2012	824	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	86
PID 824 wrote to memory of 4792	824	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	87
PID 824 wrote to memory of 4792	824	403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\ICEY1.exe
  "C:\Users\Admin\AppData\Local\Temp\ICEY1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\ICEY2.exe
  "C:\Users\Admin\AppData\Local\Temp\ICEY2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ICEY1.exe

Filesize
60KB

MD5
d30f3c599e5c9a9213bf004ed1572045

SHA1
37ca6c5e9becbaa39443419b6bfff15c4a9985eb

SHA256
35eb1edc8986931f0e2ce98f0c8428adb49e89cab3f3acf9a307619744e97113

SHA512
3d59ff4f04e16bb2dbc2213ec8235de56256f802c44c2668e761446fc9f6254da899ad064ff87d64905a51b2875cd67328f047fcbfe14d19676285e2ea746ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICEY2.exe

Filesize
192KB

MD5
7c0c00288fdbf932380027ec426b7024

SHA1
dc0d19795d4d1169c72343d37071c9ecf2a7f710

SHA256
f21584df80ee11cca8ad36f2108ce50900141dabc59a05cde0fc4cd868389104

SHA512
b9792915ce0adef9b8efed8bde71eafaec57ecf2b1c6ef65fd323274d18dc132da76cbe05f05d067a5ecefbef7dd870d5a93b823b71d643ffa041c64e48b311e

Download Submit
memory/824-4-0x000000001C0C0000-0x000000001C15C000-memory.dmp

Filesize
624KB

Download
memory/824-1-0x000000001B540000-0x000000001B5E6000-memory.dmp

Filesize
664KB

Download
memory/824-0-0x00007FFD65925000-0x00007FFD65926000-memory.dmp

Filesize
4KB

Download
memory/824-5-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

Filesize
9.6MB

Download
memory/824-6-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/824-7-0x000000001C220000-0x000000001C26C000-memory.dmp

Filesize
304KB

Download
memory/824-2-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

Filesize
9.6MB

Download
memory/824-3-0x000000001BAC0000-0x000000001BF8E000-memory.dmp

Filesize
4.8MB

Download
memory/824-30-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

Filesize
9.6MB

Download
memory/4792-29-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

Filesize
9.6MB

Download
memory/4792-31-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

Filesize
9.6MB

Download
memory/4792-28-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

Filesize
9.6MB

Download
memory/4792-32-0x000000001DCF0000-0x000000001DDC2000-memory.dmp

Filesize
840KB

Download
memory/4792-36-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing