Overview

overview

10

Static

static

10

JaffaCakes...24.exe

windows7-x64

10

JaffaCakes...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5792e1610df899d8fb7564e6fdf5cc5b8cf13162bd17c88b3351009c738d6924.exe

  • Size

    20KB

  • MD5

    c9bc80980cd6b0deaf7d24a0d6c479a8

  • SHA1

    7cd003e70561acd1d7792fec9a76ed44d2ffd3e6

  • SHA256

    5792e1610df899d8fb7564e6fdf5cc5b8cf13162bd17c88b3351009c738d6924

  • SHA512

    7fcd2a7c1a62ddcca3e0e7c05fcfb715009e404d822f3da03c732b6b432cb4c5e5c3248e81259f1eadebbf080dd07c20d9e2add47e0ee2e1d7b42fcbcdaa0484

  • SSDEEP

    192:u10ntu2f2k5pKTkyp6aeFknKNM8YB2YhvnklZBldmMs4kblmf+jF9nsa3V5p9EyG:u1N2f2kSb2ivk1lls4almMscDp6ytXY

Score
10/10
revengeratclientdiscoverystealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

127.0.0.1:333

127.0.0.1:37337
Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5792e1610df899d8fb7564e6fdf5cc5b8cf13162bd17c88b3351009c738d6924.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5792e1610df899d8fb7564e6fdf5cc5b8cf13162bd17c88b3351009c738d6924.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1808
      • C:\Users\Admin\AppData\Roaming\teamviewer.exe
        "C:\Users\Admin\AppData\Roaming\teamviewer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3428
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1588
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "teamviewer" /tr "C:\Users\Admin\AppData\Roaming\teamviewer.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3708
  • C:\Users\Admin\AppData\Roaming\teamviewer.exe
    C:\Users\Admin\AppData\Roaming\teamviewer.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
    Filesize

    142B

    MD5

    8c0458bb9ea02d50565175e38d577e35

    SHA1

    f0b50702cd6470f3c17d637908f83212fdbdb2f2

    SHA256

    c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

    SHA512

    804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HawrHJfWf.txt
    Filesize

    116B

    MD5

    58667f8708f0cde87aa2cf2624a162fb

    SHA1

    09acd79a6d5d0be373c66098ffc641d0630fead3

    SHA256

    9ff0296ff849b4b8659b8b5c97f5ed77cc1b4de9aa1bf8c02be2fc21249d8b6e

    SHA512

    ecc6173cd0c8c61e35e8b1b6c7eb25201d2b1a91fa8058339a530f1cb56aaf630f7c33b7cd842f0bbf03fe18acaac3502ceda298ffa4d3a443286451d2254713

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HawrHJfWf.txt
    Filesize

    45B

    MD5

    01c97a9ee076601d1c5420a013bf3230

    SHA1

    125b4e7f4ea862a632a929ae6c95688f46ddb5d0

    SHA256

    1eaede495cd8133b36ee2667cbd47b070aa59fd4fdb1e7e8b54f341f86193f94

    SHA512

    730854ebb294edf1f10a20150962a6df58b9fdfef498f40aa3c4909b8ed54e3bf292cc2826dd3fc83cd792ffe005a50290af6d94e22b5fbeba10d6f674f17238

    Download Submit

  • C:\Users\Admin\AppData\Roaming\teamviewer.exe
    Filesize

    20KB

    MD5

    c9bc80980cd6b0deaf7d24a0d6c479a8

    SHA1

    7cd003e70561acd1d7792fec9a76ed44d2ffd3e6

    SHA256

    5792e1610df899d8fb7564e6fdf5cc5b8cf13162bd17c88b3351009c738d6924

    SHA512

    7fcd2a7c1a62ddcca3e0e7c05fcfb715009e404d822f3da03c732b6b432cb4c5e5c3248e81259f1eadebbf080dd07c20d9e2add47e0ee2e1d7b42fcbcdaa0484

    Download Submit

  • memory/1212-20-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-17-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-32-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-8-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1212-10-0x00000000048E0000-0x000000000497C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1212-11-0x0000000004F30000-0x00000000054D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1212-12-0x0000000004980000-0x00000000049E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1212-6-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1588-37-0x0000000002DD0000-0x0000000002DF1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1808-16-0x0000000000FD0000-0x0000000000FF1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1808-13-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1808-15-0x0000000004E70000-0x0000000004EAC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1808-19-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1808-21-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2352-31-0x0000000000F60000-0x0000000000F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2380-4-0x000000001CB40000-0x000000001CBA2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2380-0-0x00007FFEB41C5000-0x00007FFEB41C6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-3-0x000000001C9D0000-0x000000001CA76000-memory.dmp

    Filesize

    664KB

    Download

  • memory/2380-1-0x00007FFEB3F10000-0x00007FFEB48B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-9-0x00007FFEB3F10000-0x00007FFEB48B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-2-0x000000001C500000-0x000000001C9CE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2380-7-0x00007FFEB3F10000-0x00007FFEB48B1000-memory.dmp

    Filesize

    9.6MB

    Download