Analysis Overview
SHA256
c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c
Threat Level: Known bad
The file 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 22:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 22:00
Reported
2024-10-16 22:03
Platform
win7-20240903-en
Max time kernel
148s
Max time network
123s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Micosoft.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2640 set thread context of 2916 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 876 set thread context of 2332 | N/A | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2332 set thread context of 2380 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Micosoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Micosoft.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\Micosoft.exe
"C:\Windows\system32\Micosoft.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | uogapk1.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk2.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk3.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk4.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk5.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk6.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk7.ddns.net | udp |
| US | 34.135.83.243:2222 | uogapk7.ddns.net | tcp |
Files
memory/1964-0-0x000000007443E000-0x000000007443F000-memory.dmp
memory/1964-1-0x0000000001270000-0x0000000001288000-memory.dmp
memory/1964-2-0x000000007443E000-0x000000007443F000-memory.dmp
memory/1964-3-0x0000000000310000-0x0000000000328000-memory.dmp
memory/1964-4-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/1964-5-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2640-7-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2640-11-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2640-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2640-13-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2640-9-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2640-19-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/1964-28-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2640-27-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2640-23-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2640-18-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2640-29-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2640-30-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2640-31-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2640-32-0x0000000074430000-0x0000000074B1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt
| MD5 | 97b5144a6507e68b558ef2c85c5ef23d |
| SHA1 | 3b3a5db27bdfea8a463df14e92301e57e194f492 |
| SHA256 | 7b2d574fa976abf4814d889601a7a8fc84575a97d0a7d715e257b890c931bc42 |
| SHA512 | 96a0125b415a34efef6b33915bd6fd0e2a144d853560ca7235d1135fab7d8e7d6a814f86534c366cdacdcca0e3e1349102a39cbf3d790f7107efdd34354aefcc |
memory/2916-39-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2916-36-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2916-35-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2916-34-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2916-33-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2916-42-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2916-44-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2916-45-0x00000000002A0000-0x00000000002C0000-memory.dmp
memory/2916-46-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2916-47-0x0000000074430000-0x0000000074B1E000-memory.dmp
\Windows\SysWOW64\Micosoft.exe
| MD5 | 4f423fbb6d7c31fd3cac2c3729e39762 |
| SHA1 | 547daf4dc1fec5c0f81b6f63987f945b68e1f40a |
| SHA256 | c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c |
| SHA512 | 0158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9 |
memory/876-55-0x00000000010E0000-0x00000000010F8000-memory.dmp
memory/2640-56-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2332-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt
| MD5 | 4a63c2de6de95f20781563620320bdfd |
| SHA1 | 6d1da625342dafb630e365914a09fac09a0c7fcb |
| SHA256 | 8a0ec55c9f5ecf4e81c9bed8b0be26c1e123614c40b9f281aeaaf6bcf0869634 |
| SHA512 | 31e56e6f02338529887707aff9cb965e899be45ef806bbb4ab09695511b12e422f2dabd17c181170d38ff569592f21060ffa5ea059149b0fb51b80b0139becbf |
memory/2380-89-0x00000000002B0000-0x00000000002D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 22:00
Reported
2024-10-16 22:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Micosoft.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3948 set thread context of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4336 set thread context of 4044 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4132 set thread context of 1140 | N/A | C:\Windows\SysWOW64\Micosoft.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 1140 set thread context of 1008 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Micosoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Micosoft.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\Micosoft.exe
"C:\Windows\system32\Micosoft.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uogapk1.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk2.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk3.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk4.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk5.ddns.net | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uogapk6.ddns.net | udp |
| US | 8.8.8.8:53 | uogapk7.ddns.net | udp |
| US | 34.135.83.243:2222 | uogapk7.ddns.net | tcp |
| US | 8.8.8.8:53 | 243.83.135.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3948-0-0x000000007500E000-0x000000007500F000-memory.dmp
memory/3948-1-0x00000000008F0000-0x0000000000908000-memory.dmp
memory/3948-2-0x000000007500E000-0x000000007500F000-memory.dmp
memory/3948-3-0x0000000002C60000-0x0000000002C78000-memory.dmp
memory/3948-4-0x00000000052D0000-0x000000000536C000-memory.dmp
memory/3948-5-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3948-6-0x00000000059D0000-0x0000000005F74000-memory.dmp
memory/3948-7-0x0000000005370000-0x00000000053D6000-memory.dmp
memory/3948-8-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3948-11-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4336-12-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4336-13-0x0000000003070000-0x0000000003088000-memory.dmp
memory/4336-14-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4336-15-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4336-16-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4044-17-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt
| MD5 | 97b5144a6507e68b558ef2c85c5ef23d |
| SHA1 | 3b3a5db27bdfea8a463df14e92301e57e194f492 |
| SHA256 | 7b2d574fa976abf4814d889601a7a8fc84575a97d0a7d715e257b890c931bc42 |
| SHA512 | 96a0125b415a34efef6b33915bd6fd0e2a144d853560ca7235d1135fab7d8e7d6a814f86534c366cdacdcca0e3e1349102a39cbf3d790f7107efdd34354aefcc |
memory/4044-20-0x0000000004F70000-0x0000000004F91000-memory.dmp
memory/4044-19-0x0000000004FB0000-0x0000000004FEC000-memory.dmp
memory/4044-21-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4044-23-0x0000000075000000-0x00000000757B0000-memory.dmp
C:\Windows\SysWOW64\Micosoft.exe
| MD5 | 4f423fbb6d7c31fd3cac2c3729e39762 |
| SHA1 | 547daf4dc1fec5c0f81b6f63987f945b68e1f40a |
| SHA256 | c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c |
| SHA512 | 0158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
| MD5 | 8c0458bb9ea02d50565175e38d577e35 |
| SHA1 | f0b50702cd6470f3c17d637908f83212fdbdb2f2 |
| SHA256 | c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53 |
| SHA512 | 804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f |
memory/4336-36-0x0000000075000000-0x00000000757B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt
| MD5 | 4a63c2de6de95f20781563620320bdfd |
| SHA1 | 6d1da625342dafb630e365914a09fac09a0c7fcb |
| SHA256 | 8a0ec55c9f5ecf4e81c9bed8b0be26c1e123614c40b9f281aeaaf6bcf0869634 |
| SHA512 | 31e56e6f02338529887707aff9cb965e899be45ef806bbb4ab09695511b12e422f2dabd17c181170d38ff569592f21060ffa5ea059149b0fb51b80b0139becbf |
memory/1008-41-0x0000000002A40000-0x0000000002A61000-memory.dmp