revengerat | 4155858c88f64e8d3ea61255cdc85e33ee36238d897f7371045cac475fa509d8

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_66d548d40e897278eca4bd84367f23e0.exe
Size

602KB
MD5

66d548d40e897278eca4bd84367f23e0
SHA1

694c13ec8a23055910442f8c256e39b4e7c5596a
SHA256

4155858c88f64e8d3ea61255cdc85e33ee36238d897f7371045cac475fa509d8
SHA512

c315f0b3e6b04031778a41856115e04521a7d775830527fe5d1fde710687e4473336d392bfae94af97ad494550487bc9e9dde8a386f5dfce01482226ed2a225e
SSDEEP

12288:E7lw1DxepPfX9F59l3N8aF7ysgfBnnl2W:E7m1DGFDl3maF7ysgpnncW

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000a000000023b7e-6.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2152	ocs_v7d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_66d548d40e897278eca4bd84367f23e0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	ocs_v7d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
704	JaffaCakes118_66d548d40e897278eca4bd84367f23e0.exe
2152	ocs_v7d.exe
2152	ocs_v7d.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 2152	704	JaffaCakes118_66d548d40e897278eca4bd84367f23e0.exe	83
PID 704 wrote to memory of 2152	704	JaffaCakes118_66d548d40e897278eca4bd84367f23e0.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66d548d40e897278eca4bd84367f23e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66d548d40e897278eca4bd84367f23e0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exe -install -3913255 -dcude -d571f616a3b241959137fee958a1f069 - -noJS -mwqbiwhjvjbgrmva -327826
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\mwqbiwhjvjbgrmva.dat

Filesize
27B

MD5
1b6d927247036009daa251d57c3bb8b2

SHA1
a4800bdc168486fc2369ff2c3452a64990ac1c17

SHA256
9f7b06f4e98b261d5eade459b05e1193841c9c07bd497d185a978ccd2239fea8

SHA512
2638d1c9c27384f9d57cd8071e110690d08d8e7d8d4e6e15dbe14c50a0fcd7086f09fd5097af8ffe914b1016fc6b01e3bd6f302518afc261bd0f047079645525

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exe

Filesize
292KB

MD5
0f152d15cd6845999b6fe329e87ca52b

SHA1
34bcde11a22683ec42f88cf11a55df978a1ca53b

SHA256
6b0c155bd3f1129d78dc8e076841211963d05f0ec41db5fbbe28199531f611b2

SHA512
966f9388dfc106b1e2aed752ec3b2003ed9dc3371098a349232e9aaa47e7e1a58cbba3a85d95334511ebfebe3a14a4429bb354106de72a592c1b8462ca005a5a

Download Submit
memory/2152-11-0x000000001B2E0000-0x000000001B386000-memory.dmp

Filesize
664KB

Download
memory/2152-16-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-9-0x000000001B8F0000-0x000000001BDBE000-memory.dmp

Filesize
4.8MB

Download
memory/2152-12-0x000000001BE60000-0x000000001BEFC000-memory.dmp

Filesize
624KB

Download
memory/2152-14-0x000000001B3A0000-0x000000001B3A8000-memory.dmp

Filesize
32KB

Download
memory/2152-13-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-8-0x00007FFCBD5A5000-0x00007FFCBD5A6000-memory.dmp

Filesize
4KB

Download
memory/2152-10-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-17-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-18-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-19-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-20-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-21-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download
memory/2152-23-0x00007FFCBD2F0000-0x00007FFCBDC91000-memory.dmp

Filesize
9.6MB

Download