Overview

overview

10

Static

static

1

JaffaCakes...45.vbs

windows7-x64

3

JaffaCakes...45.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_f4f5ec10baed6ad8a7f824f2a2506a8338db4b7e71815b2f6bf466645dac7245.vbs

  • Size

    77KB

  • MD5

    4e69333b05d347f5383146cb52f2069d

  • SHA1

    b20c2dfec1d341e33caab1826ee49cedb2029db6

  • SHA256

    f4f5ec10baed6ad8a7f824f2a2506a8338db4b7e71815b2f6bf466645dac7245

  • SHA512

    be303a7bcdf7ab9954e025dac326c518c3ac27e5449122fa0e8f729c6c46dc35e993481decbdbc7375f5067dc4ceee4848d576a431fe4056176d7867c9af0a8d

  • SSDEEP

    1536:1Jgz0H2SkJmJere42kaI+NiQtRCDKZX9n3jLNYPu:Hgc7

Score
10/10
revengeratclientdiscoveryexecutiontrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

YX0NUIJIFJ582LY

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4f5ec10baed6ad8a7f824f2a2506a8338db4b7e71815b2f6bf466645dac7245.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -FILE C:\Users\Admin\AppData\Local\Temp\Systray64.PS1
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxywy5pw\zxywy5pw.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AFA.tmp" "c:\Users\Admin\AppData\Local\Temp\zxywy5pw\CSCA3DF6BD07BDA420480E735F33EA5B45.TMP"
          4⤵
            PID:2000
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES8AFA.tmp
      Filesize

      1KB

      MD5

      c1013d058bd1c426c548c5904d759e19

      SHA1

      3dc213420d0000f9ac1ca2b2bd57098acb4e2b8e

      SHA256

      f82086bbdbc6387f50930fb3b44c451d626f2a8aef7e0af18d33e5e2a986c84b

      SHA512

      92e0a8857683277fc3492d0924e741614cbdc09cbd4718c08dc4b24bbb66a0af54405a590038ea3a8caa4d26c760111597191c37e571e3f543a01d6ac47d6e53

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Systray64.PS1
      Filesize

      51KB

      MD5

      38fb9ae219cc70744abe72a8d03de55f

      SHA1

      e200e3264f91ccc900a5f043d6df741c05bca298

      SHA256

      1d3555606bf01f6597609dc4eea06695b8fde77fe886052ed72b60907ca22146

      SHA512

      50a1b3c464e5e6dd1fa1b790de8e964b9f3394450ba6a55e2150a9d0d610e30c1ec49925a37aa57080ce57e2524dbcb1183ebd83531e6a2c0ff3ebf1593bf4b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3anfoz3.uao.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\zxywy5pw\zxywy5pw.dll
      Filesize

      13KB

      MD5

      10212592c22b3193bc070a5aa4cb4497

      SHA1

      8210a0315656c94f315cfde78bd0bc505b783d57

      SHA256

      e73caeacca164ed91dbd535a09852975f421dcd9c94331eaa700be986dfc04f9

      SHA512

      ed79875f803dd930b582763b661e4a3e56a1e1c716d1a66f8bef6a5bcdabb635cee9491d121164953dc2c293b9aae59092d3a3a4b5b611821d4a3abdfbe2ab19

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\zxywy5pw\CSCA3DF6BD07BDA420480E735F33EA5B45.TMP
      Filesize

      652B

      MD5

      415ef947a00dcab35512b26ab2fcbc7d

      SHA1

      9080b9d576edc97d242c984a3d88185952f85b7b

      SHA256

      da367ed290e263bdb98749409a7482fde0e834ff7b1519163fc97be810475cb7

      SHA512

      c906443d4dd6c8ba61ed706d7d63a7ed4a9defa7f9a9dfbae60fa088d8a0264b613a5e1a21072d0407704ee427d29769966c10732e70c0d170839de49fa35874

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\zxywy5pw\zxywy5pw.0.cs
      Filesize

      13KB

      MD5

      e03b1e7ba7f1a53a7e10c0fd9049f437

      SHA1

      3bb851a42717eeb588eb7deadfcd04c571c15f41

      SHA256

      3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

      SHA512

      a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\zxywy5pw\zxywy5pw.cmdline
      Filesize

      327B

      MD5

      a59795a2e0b6883979ad4cc3b3cadc1f

      SHA1

      0b8ad116f6b4f77a8a6e96889a09e04ca05ddb33

      SHA256

      b4d5e5b7dd8fbf842134748f277f3272aac25bbed7b802bd5005fa370fee4751

      SHA512

      138b32a0ea6293f82a91cc59fe1851366146aba9f8cd4f7e5befa4b18ac58d83eca632457aae462d6312efbedb13e84bd35414f9ebcce48be0e6473af4c99d01

      Download Submit

    • memory/2156-37-0x00000000054D0000-0x000000000556C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2156-36-0x00000000058A0000-0x0000000005E44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2156-32-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4324-13-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-16-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-30-0x0000018D367A0000-0x0000018D367AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4324-15-0x0000018D38FD0000-0x0000018D39046000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4324-1-0x00007FFB1AC13000-0x00007FFB1AC15000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4324-35-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-12-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-2-0x0000018D36740000-0x0000018D36762000-memory.dmp

      Filesize

      136KB

      Download