Overview

overview

10

Static

static

10

JaffaCakes...54.exe

windows7-x64

10

JaffaCakes...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454.exe

  • Size

    20KB

  • MD5

    126bd8afd4b7c1ad5676e489e7463511

  • SHA1

    f08b87f487d7ea75a97ac10a7d995b5e83187f72

  • SHA256

    ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454

  • SHA512

    71a541dcf831a8d0b684356e777beb95dfe838d71c781b92c7128691cd5f9418c30340511891239500e60f2feeed3bb383adc0b212b97a37b40cff9af814bf06

  • SSDEEP

    384:cr565ODk2ib/FPK+2tMs4wlmMsq3puy7XY:cr5615D2tMwlXY

Score
10/10
revengeratclientdiscoverystealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

127.0.0.1:333

127.0.0.1:37337
Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2964
      • C:\Users\Admin\AppData\Roaming\teamviewer.exe
        "C:\Users\Admin\AppData\Roaming\teamviewer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2136
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2988
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "teamviewer" /tr "C:\Users\Admin\AppData\Roaming\teamviewer.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:956
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F7F925F6-F371-4FA6-B38D-3626FAB7B413} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Users\Admin\AppData\Roaming\teamviewer.exe
      C:\Users\Admin\AppData\Roaming\teamviewer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WGGjjtnx.txt
    Filesize

    116B

    MD5

    5a6c908109cc2f65cb7a8bfd64bb874e

    SHA1

    268daea3b4b28556e0dded357109b05ef267ce6f

    SHA256

    b7d4593ed79288605f74b410ce344c855251c65ec5cc7ce09f1752eba29b30d6

    SHA512

    f33468a912b296859b211613dae44bada1b004a915356902980a7f58da7765c2b37f0cc44406a9365a4088f50454f5db68db567b46bb4ba47ca530f494b5a91f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WGGjjtnx.txt
    Filesize

    45B

    MD5

    01c97a9ee076601d1c5420a013bf3230

    SHA1

    125b4e7f4ea862a632a929ae6c95688f46ddb5d0

    SHA256

    1eaede495cd8133b36ee2667cbd47b070aa59fd4fdb1e7e8b54f341f86193f94

    SHA512

    730854ebb294edf1f10a20150962a6df58b9fdfef498f40aa3c4909b8ed54e3bf292cc2826dd3fc83cd792ffe005a50290af6d94e22b5fbeba10d6f674f17238

    Download Submit

  • \Users\Admin\AppData\Roaming\teamviewer.exe
    Filesize

    20KB

    MD5

    126bd8afd4b7c1ad5676e489e7463511

    SHA1

    f08b87f487d7ea75a97ac10a7d995b5e83187f72

    SHA256

    ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454

    SHA512

    71a541dcf831a8d0b684356e777beb95dfe838d71c781b92c7128691cd5f9418c30340511891239500e60f2feeed3bb383adc0b212b97a37b40cff9af814bf06

    Download Submit

  • memory/1532-92-0x0000000000300000-0x0000000000320000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2144-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-30-0x000000007467E000-0x000000007467F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-28-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2188-4-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2188-3-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2188-12-0x000000007467E000-0x000000007467F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-7-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2188-63-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2188-11-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2188-9-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2188-31-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2188-5-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2964-26-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2964-27-0x0000000000200000-0x0000000000220000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2964-24-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2964-13-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2964-15-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2964-17-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2964-18-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2964-21-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2988-66-0x0000000000210000-0x0000000000230000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3032-29-0x000007FEF64C0000-0x000007FEF6E5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3032-0-0x000007FEF677E000-0x000007FEF677F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3032-2-0x000007FEF64C0000-0x000007FEF6E5D000-memory.dmp

    Filesize

    9.6MB

    Download