Malware Analysis Report

2025-01-18 04:47

Sample ID 241013-q8w5pszdne
Target 403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118
SHA256 1e5d173cffbdd36f13fcebb3e8be1648606e50196e8b4358fb8635fce8cd9dda
Tags
revengerat discovery stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e5d173cffbdd36f13fcebb3e8be1648606e50196e8b4358fb8635fce8cd9dda

Threat Level: Known bad

The file 403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

revengerat discovery stealer trojan spyware

RevengeRat Executable

RevengeRAT

Revengerat family

RevengeRat Executable

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 13:56

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 13:56

Reported

2024-10-13 13:59

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ICEY1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ICEY1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ICEY1.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ICEY1.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ICEY1.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ICEY1.exe
PID 1836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ICEY2.exe
PID 1836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ICEY2.exe
PID 1836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ICEY2.exe
PID 2504 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 2504 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 2504 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ICEY1.exe

"C:\Users\Admin\AppData\Local\Temp\ICEY1.exe"

C:\Users\Admin\AppData\Local\Temp\ICEY2.exe

"C:\Users\Admin\AppData\Local\Temp\ICEY2.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 616

Network

N/A

Files

memory/1836-0-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

memory/1836-1-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

memory/1836-2-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

memory/1836-5-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ICEY1.exe

MD5 d30f3c599e5c9a9213bf004ed1572045
SHA1 37ca6c5e9becbaa39443419b6bfff15c4a9985eb
SHA256 35eb1edc8986931f0e2ce98f0c8428adb49e89cab3f3acf9a307619744e97113
SHA512 3d59ff4f04e16bb2dbc2213ec8235de56256f802c44c2668e761446fc9f6254da899ad064ff87d64905a51b2875cd67328f047fcbfe14d19676285e2ea746ebe

C:\Users\Admin\AppData\Local\Temp\ICEY2.exe

MD5 7c0c00288fdbf932380027ec426b7024
SHA1 dc0d19795d4d1169c72343d37071c9ecf2a7f710
SHA256 f21584df80ee11cca8ad36f2108ce50900141dabc59a05cde0fc4cd868389104
SHA512 b9792915ce0adef9b8efed8bde71eafaec57ecf2b1c6ef65fd323274d18dc132da76cbe05f05d067a5ecefbef7dd870d5a93b823b71d643ffa041c64e48b311e

memory/2504-16-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

memory/1836-17-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

memory/2504-18-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

memory/2504-19-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 13:56

Reported

2024-10-13 13:59

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICEY2.exe C:\Users\Admin\AppData\Local\Temp\ICEY2.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICEY2.exe C:\Users\Admin\AppData\Local\Temp\ICEY2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ICEY1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ICEY1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ICEY2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\403b7e75b683a9e62b194aa319b6a89d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ICEY1.exe

"C:\Users\Admin\AppData\Local\Temp\ICEY1.exe"

C:\Users\Admin\AppData\Local\Temp\ICEY2.exe

"C:\Users\Admin\AppData\Local\Temp\ICEY2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/824-0-0x00007FFD65925000-0x00007FFD65926000-memory.dmp

memory/824-1-0x000000001B540000-0x000000001B5E6000-memory.dmp

memory/824-2-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

memory/824-3-0x000000001BAC0000-0x000000001BF8E000-memory.dmp

memory/824-4-0x000000001C0C0000-0x000000001C15C000-memory.dmp

memory/824-5-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

memory/824-6-0x0000000001070000-0x0000000001078000-memory.dmp

memory/824-7-0x000000001C220000-0x000000001C26C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ICEY1.exe

MD5 d30f3c599e5c9a9213bf004ed1572045
SHA1 37ca6c5e9becbaa39443419b6bfff15c4a9985eb
SHA256 35eb1edc8986931f0e2ce98f0c8428adb49e89cab3f3acf9a307619744e97113
SHA512 3d59ff4f04e16bb2dbc2213ec8235de56256f802c44c2668e761446fc9f6254da899ad064ff87d64905a51b2875cd67328f047fcbfe14d19676285e2ea746ebe

C:\Users\Admin\AppData\Local\Temp\ICEY2.exe

MD5 7c0c00288fdbf932380027ec426b7024
SHA1 dc0d19795d4d1169c72343d37071c9ecf2a7f710
SHA256 f21584df80ee11cca8ad36f2108ce50900141dabc59a05cde0fc4cd868389104
SHA512 b9792915ce0adef9b8efed8bde71eafaec57ecf2b1c6ef65fd323274d18dc132da76cbe05f05d067a5ecefbef7dd870d5a93b823b71d643ffa041c64e48b311e

memory/4792-28-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

memory/4792-29-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

memory/4792-31-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

memory/824-30-0x00007FFD65670000-0x00007FFD66011000-memory.dmp

memory/4792-32-0x000000001DCF0000-0x000000001DDC2000-memory.dmp

memory/4792-36-0x00007FFD65670000-0x00007FFD66011000-memory.dmp