Overview

overview

10

Static

static

3

JaffaCakes...20.exe

windows7-x64

10

JaffaCakes...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_68b8b06c43a35ab7713f6955638f5020.exe

  • Size

    596KB

  • MD5

    68b8b06c43a35ab7713f6955638f5020

  • SHA1

    3bdec54b2356276776b2ea18b8b0bad27f746de3

  • SHA256

    c07473853a3b9eb984c6aa005eb7bd4c6cfec6985f077ea8739e7ea5b6d0a7c1

  • SHA512

    6d770a116ad80cf913de5149e7726b902689c8205cb5618378558053702020abc0e025e4b8a72e3649f11c0d399a859ebc2eb84bc229bc5ebd44f17cf2e5eb36

  • SSDEEP

    6144:4KWlw1Dx+qASTuqfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2:47lw1DxN5HfXeYU43fiysgfBnnl2

Score
10/10
revengeratdiscoverystealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b8b06c43a35ab7713f6955638f5020.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b8b06c43a35ab7713f6955638f5020.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
      C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -360 -fotofreeware -9b3e6717766240a4ba233f0590c9cae5 - - -kdvmbsuviuxualyq -524822
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=fotofreeware&cid=360&appname=[APPNAME]&cbstate=&uid=7d23db55-ffe4-47c4-bb0d-aba2421f92eb&sid=9b3e6717766240a4ba233f0590c9cae5&scid=&source=&language=en-cl&cdata=utyp-31.ua-696578706c6f72652e657865.camp-.userid-653636336163316563343835613363306561313237356132
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    d3ef026dd88e6e5106ac84f80286c124

    SHA1

    75062b0190d63b6ee191c2d3fd7deed40520a363

    SHA256

    2ecb929a03fb648afd921206e9f84eebfe98b3b343061e6d2e5bbf3a1d02619c

    SHA512

    809dafd4a0fb9c3c22d3fff05ebb4c025b35a69b514ddb082565a14b3543581f1c430532b6dec2dd4da97a4c9b9818b57d91dcc6f91a3a5425f5a65a078cf64e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    7fc1ab7a0a629943418d478cf02d747c

    SHA1

    59cc198f36ba4c8d650a75626a4fa79f5e1b0c76

    SHA256

    3f2f3ff22d564b7ca347f9d7af7308637297a374082455f3711f6ad6d4fe563c

    SHA512

    4959424e990697f3053caf87e95488c801dd795a1455153764cfcc6dc7c47260d1e54213fc5820ec7ba43c151bb0d192fc4427862b4b125171f19f6a9b112611

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3FF2.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OCS\kdvmbsuviuxualyq.dat
    Filesize

    99B

    MD5

    2138deb66ab257924dd5fb17bfe1209d

    SHA1

    eb76c576708ea009470cd0c53f4cb9ed72063a5b

    SHA256

    7d590c939c583734c504669a9ce6fb267f5cadf7db5e7808b6fa53d95eed95fd

    SHA512

    faaa9e4365b46d7a8ed442aaf4d8c5d1ba67a01c5b822046e90a986c5b47496fc46468b73fac16f3faa95cf47d69aac242da2ea833b4099e6e3a19e37d6d1506

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
    Filesize

    288KB

    MD5

    317ec5f92cfbf04a53e8125b66b3b4af

    SHA1

    16068b8977b4dc562ae782d91bc009472667e331

    SHA256

    7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

    SHA512

    ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

    Download Submit

  • memory/4712-17-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-20-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-13-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4712-16-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-12-0x000000001BD30000-0x000000001BDCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4712-18-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-19-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-14-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-21-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-22-0x00007FFC53C05000-0x00007FFC53C06000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4712-23-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-25-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-11-0x000000001B1F0000-0x000000001B296000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4712-10-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4712-9-0x000000001B7C0000-0x000000001BC8E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4712-8-0x00007FFC53C05000-0x00007FFC53C06000-memory.dmp

    Filesize

    4KB

    Download