revengerat | 1a22f02398291dd8020b017fc6f5f85eebec35e97795e5c13ac4ba512e5bcb23

General

Target

a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
Size

86KB
MD5

a181b9744850a2b083c2b38f8dc0ae62
SHA1

614b3edc7ac2cb4ce872c163c14d5bae40aa410a
SHA256

1a22f02398291dd8020b017fc6f5f85eebec35e97795e5c13ac4ba512e5bcb23
SHA512

37b1f51010b42300f34466c388573ffe34930060c12bab0edecb4f10e07a8e6ac8d51fac3b78d4cb29088b3e33f73166e30d83d55ee48da87fc52a7a10abd706
SSDEEP

1536:dhReVQ4ao0s/XjLKFJn5kyD/HYtRODDOkpDWUAwaC6ikmU:bReVZaoh/XjLKFJnSyctRODSkpyUAwa3

Score

10^/10

revengerat discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00070000000173a9-9.dat	revengerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ComponentID = "Windows Firewall"	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ = "Microsoft Windows"	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\Firewall.exe"	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2832	UAC.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\UAC.exe"	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\UAC.exe"	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\UAC.exe"	UAC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\UAC.exe"	UAC.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UAC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	UAC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
2832	UAC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2680	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2680	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2680	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2680	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2832	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2832	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2832	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2832	2212	a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a181b9744850a2b083c2b38f8dc0ae62_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\REG.exe
  REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\UAC.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\UAC.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows Firewall\Firewall.exe

Filesize
86KB

MD5
a181b9744850a2b083c2b38f8dc0ae62

SHA1
614b3edc7ac2cb4ce872c163c14d5bae40aa410a

SHA256
1a22f02398291dd8020b017fc6f5f85eebec35e97795e5c13ac4ba512e5bcb23

SHA512
37b1f51010b42300f34466c388573ffe34930060c12bab0edecb4f10e07a8e6ac8d51fac3b78d4cb29088b3e33f73166e30d83d55ee48da87fc52a7a10abd706

Download Submit
memory/2212-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

Filesize
4KB

Download
memory/2212-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-2-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-3-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-7-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-19-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-21-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-17-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-20-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads