revengerat | c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Size

69KB
MD5

4f423fbb6d7c31fd3cac2c3729e39762
SHA1

547daf4dc1fec5c0f81b6f63987f945b68e1f40a
SHA256

c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c
SHA512

0158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9
SSDEEP

1536:3OtU5/9U/H52Bw+RqX82e7thSxUzKU4dHy7JH14qwqMWchkx:eta/uou+Re5cnKU4dkt6WchI

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1964-3-0x0000000000310000-0x0000000000328000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

pid	Process
876	Micosoft.exe

Loads dropped DLL 1 IoCs

pid	Process
2640	RegSvcs.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Micosoft.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\Micosoft.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\Micosoft.exe	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 2640 set thread context of 2916	2640	RegSvcs.exe	31
PID 876 set thread context of 2332	876	Micosoft.exe	35
PID 2332 set thread context of 2380	2332	RegSvcs.exe	36

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Micosoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	RegSvcs.exe
Token: SeDebugPrivilege	876	Micosoft.exe
Token: SeDebugPrivilege	2332	RegSvcs.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2640	1964	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 2916	2640	RegSvcs.exe	31
PID 2640 wrote to memory of 876	2640	RegSvcs.exe	34
PID 2640 wrote to memory of 876	2640	RegSvcs.exe	34
PID 2640 wrote to memory of 876	2640	RegSvcs.exe	34
PID 2640 wrote to memory of 876	2640	RegSvcs.exe	34
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 876 wrote to memory of 2332	876	Micosoft.exe	35
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36
PID 2332 wrote to memory of 2380	2332	RegSvcs.exe	36

C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\Micosoft.exe
    "C:\Windows\system32\Micosoft.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt

Filesize
84B

MD5
97b5144a6507e68b558ef2c85c5ef23d

SHA1
3b3a5db27bdfea8a463df14e92301e57e194f492

SHA256
7b2d574fa976abf4814d889601a7a8fc84575a97d0a7d715e257b890c931bc42

SHA512
96a0125b415a34efef6b33915bd6fd0e2a144d853560ca7235d1135fab7d8e7d6a814f86534c366cdacdcca0e3e1349102a39cbf3d790f7107efdd34354aefcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt

Filesize
32B

MD5
4a63c2de6de95f20781563620320bdfd

SHA1
6d1da625342dafb630e365914a09fac09a0c7fcb

SHA256
8a0ec55c9f5ecf4e81c9bed8b0be26c1e123614c40b9f281aeaaf6bcf0869634

SHA512
31e56e6f02338529887707aff9cb965e899be45ef806bbb4ab09695511b12e422f2dabd17c181170d38ff569592f21060ffa5ea059149b0fb51b80b0139becbf

Download Submit
\Windows\SysWOW64\Micosoft.exe

Filesize
69KB

MD5
4f423fbb6d7c31fd3cac2c3729e39762

SHA1
547daf4dc1fec5c0f81b6f63987f945b68e1f40a

SHA256
c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c

SHA512
0158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9

Download Submit
memory/876-55-0x00000000010E0000-0x00000000010F8000-memory.dmp

Filesize
96KB

Download
memory/1964-3-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/1964-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-4-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/1964-2-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x0000000001270000-0x0000000001288000-memory.dmp

Filesize
96KB

Download
memory/1964-28-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-89-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2640-31-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-19-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2640-18-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2640-29-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-30-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-27-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2640-32-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-9-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2640-7-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2640-11-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2640-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-23-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2640-56-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-13-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2916-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-45-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2916-46-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-47-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-44-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-42-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-33-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2916-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download