revengerat | 8e57e91b007a4aea044f90adce393d0a78465d62df8f70a4022f5a4533c3fd65

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8e57e91b007a4aea044f90adce393d0a78465d62df8f70a4022f5a4533c3fd65.msi
Size

288KB
MD5

f959677f1823dff599d226429d95c0e6
SHA1

02b546733236c788dec7c680ec38afa03dc5960d
SHA256

8e57e91b007a4aea044f90adce393d0a78465d62df8f70a4022f5a4533c3fd65
SHA512

7e3781b42b4d2f7533523c986d0778a53ea7e995fa794c5196d49fe2229892519472cff53f6787b7a8c7f307dde0c58bd2be167b90f3c5b59a369796c3ba8547
SSDEEP

6144:GEKG/ZO3j4Tdo89lYaJNB0da/IWf9GVoMsCE4U78tSYX6wD:GEBZO2dRlYUNidhWf2ovL7AX

Score

10^/10

revengerat nov333 discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

revengerat

Botnet

Nov333

80.82.68.21:3333

Mutex

RV_MUTEX-FtNHuiGGjjtnxDp

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

resource	yara_rule
behavioral2/memory/520-18-0x0000000004C80000-0x0000000004CBC000-memory.dmp	beds_protector

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSID061.tmp.exe	MSID061.tmp
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSID061.tmp.exe	MSID061.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 520 set thread context of 4220	520	MSID061.tmp	107

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICFF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID061.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cf27.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cf27.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
520	MSID061.tmp
2272	MSID061.tmp
4220	MSID061.tmp

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4944	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSID061.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSID061.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3888	msiexec.exe
3888	msiexec.exe
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp
520	MSID061.tmp

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4944	msiexec.exe
Token: SeSecurityPrivilege	3888	msiexec.exe
Token: SeCreateTokenPrivilege	4944	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4944	msiexec.exe
Token: SeLockMemoryPrivilege	4944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4944	msiexec.exe
Token: SeMachineAccountPrivilege	4944	msiexec.exe
Token: SeTcbPrivilege	4944	msiexec.exe
Token: SeSecurityPrivilege	4944	msiexec.exe
Token: SeTakeOwnershipPrivilege	4944	msiexec.exe
Token: SeLoadDriverPrivilege	4944	msiexec.exe
Token: SeSystemProfilePrivilege	4944	msiexec.exe
Token: SeSystemtimePrivilege	4944	msiexec.exe
Token: SeProfSingleProcessPrivilege	4944	msiexec.exe
Token: SeIncBasePriorityPrivilege	4944	msiexec.exe
Token: SeCreatePagefilePrivilege	4944	msiexec.exe
Token: SeCreatePermanentPrivilege	4944	msiexec.exe
Token: SeBackupPrivilege	4944	msiexec.exe
Token: SeRestorePrivilege	4944	msiexec.exe
Token: SeShutdownPrivilege	4944	msiexec.exe
Token: SeDebugPrivilege	4944	msiexec.exe
Token: SeAuditPrivilege	4944	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4944	msiexec.exe
Token: SeChangeNotifyPrivilege	4944	msiexec.exe
Token: SeRemoteShutdownPrivilege	4944	msiexec.exe
Token: SeUndockPrivilege	4944	msiexec.exe
Token: SeSyncAgentPrivilege	4944	msiexec.exe
Token: SeEnableDelegationPrivilege	4944	msiexec.exe
Token: SeManageVolumePrivilege	4944	msiexec.exe
Token: SeImpersonatePrivilege	4944	msiexec.exe
Token: SeCreateGlobalPrivilege	4944	msiexec.exe
Token: SeBackupPrivilege	1916	vssvc.exe
Token: SeRestorePrivilege	1916	vssvc.exe
Token: SeAuditPrivilege	1916	vssvc.exe
Token: SeBackupPrivilege	3888	msiexec.exe
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeTakeOwnershipPrivilege	3888	msiexec.exe
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeTakeOwnershipPrivilege	3888	msiexec.exe
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeTakeOwnershipPrivilege	3888	msiexec.exe
Token: SeBackupPrivilege	384	srtasks.exe
Token: SeRestorePrivilege	384	srtasks.exe
Token: SeSecurityPrivilege	384	srtasks.exe
Token: SeTakeOwnershipPrivilege	384	srtasks.exe
Token: SeBackupPrivilege	384	srtasks.exe
Token: SeRestorePrivilege	384	srtasks.exe
Token: SeSecurityPrivilege	384	srtasks.exe
Token: SeTakeOwnershipPrivilege	384	srtasks.exe
Token: SeDebugPrivilege	520	MSID061.tmp
Token: SeDebugPrivilege	4220	MSID061.tmp
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeTakeOwnershipPrivilege	3888	msiexec.exe
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeTakeOwnershipPrivilege	3888	msiexec.exe
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeTakeOwnershipPrivilege	3888	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4944	msiexec.exe
4944	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 384	3888	msiexec.exe	94
PID 3888 wrote to memory of 384	3888	msiexec.exe	94
PID 3888 wrote to memory of 520	3888	msiexec.exe	96
PID 3888 wrote to memory of 520	3888	msiexec.exe	96
PID 3888 wrote to memory of 520	3888	msiexec.exe	96
PID 520 wrote to memory of 2272	520	MSID061.tmp	106
PID 520 wrote to memory of 2272	520	MSID061.tmp	106
PID 520 wrote to memory of 2272	520	MSID061.tmp	106
PID 520 wrote to memory of 4220	520	MSID061.tmp	107
PID 520 wrote to memory of 4220	520	MSID061.tmp	107
PID 520 wrote to memory of 4220	520	MSID061.tmp	107
PID 520 wrote to memory of 4220	520	MSID061.tmp	107
PID 520 wrote to memory of 4220	520	MSID061.tmp	107
PID 520 wrote to memory of 4220	520	MSID061.tmp	107
PID 520 wrote to memory of 4220	520	MSID061.tmp	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e57e91b007a4aea044f90adce393d0a78465d62df8f70a4022f5a4533c3fd65.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\Installer\MSID061.tmp
  "C:\Windows\Installer\MSID061.tmp"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\Installer\MSID061.tmp
    "C:\Windows\Installer\MSID061.tmp"
    3⤵
    - Executes dropped EXE
    PID:2272
- - C:\Windows\Installer\MSID061.tmp
    "C:\Windows\Installer\MSID061.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSID061.tmp

Filesize
262KB

MD5
49d493901c396507a0d26065e4a75283

SHA1
0fa197bf3b50ca8a6b6be01283e6ba1eebcc7889

SHA256
c04888cf051d59540208dc4e13c7b32366f131d095e50bd97c2c8fbff91c07c3

SHA512
a72ed9410f8fcedd6ea63a5eab84174ad78a397155238651de35c0cd69060f1bc51219430955929753a3fe8347abc0ebdf544d55f452930deab7fa99ff2fc711

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
a660eb6912b577e51e21591330f7c81e

SHA1
5dc9a1028be26a3cacac491d28ed5893004c2d29

SHA256
51980c5021d305b62411fa174f3647441e46ace2258d45861f997cb3b8755099

SHA512
e27ba1208479e47fec58c794da3dea45447949c06d64b9a6c826393b0bd8529fad37aa4a86c48fcded4fd63fa8d9aaedb4aa270757acde1c17966e58b1d3f3ab

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f90d5393-7b04-41a5-98cc-52e9d767448a}_OnDiskSnapshotProp

Filesize
6KB

MD5
502462f5542d16023ca31300c77074b0

SHA1
e6be499a4aea13ff6bbef2cfdcbe424b07836bb8

SHA256
1c3bd052b3d37285a97d030620b372d68d499bccfe84d00c4d790a7923203c2e

SHA512
69b79e1218ddda5cc1e8b6dc667bda4c14a3fc9234f537092a71c3e9301b2807e48f7ff0a781694d01b34945fcb2d95b9814220f55116adee239595a7f6c422e

Download Submit
memory/520-12-0x0000000000090000-0x00000000000D6000-memory.dmp

Filesize
280KB

Download
memory/520-13-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/520-16-0x0000000004AC0000-0x0000000004B52000-memory.dmp

Filesize
584KB

Download
memory/520-17-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download
memory/520-18-0x0000000004C80000-0x0000000004CBC000-memory.dmp

Filesize
240KB

Download
memory/520-19-0x0000000006640000-0x00000000066DC000-memory.dmp

Filesize
624KB

Download
memory/520-20-0x00000000066E0000-0x0000000006746000-memory.dmp

Filesize
408KB

Download
memory/4220-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download