Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-01-2025 16:31
General
-
Target
JaffaCakes118_6df0ecc5cec9ab536e7ca5c5e0670cd0.exe
-
Size
604KB
-
MD5
6df0ecc5cec9ab536e7ca5c5e0670cd0
-
SHA1
e936d8ad2a84605dec3274fd3ef16c98f2882a9d
-
SHA256
1da358ed457821cee339e16bf4ca809d938d7822b53147a46445ec3e336d73dd
-
SHA512
9cadf4d6f978175f42874ee400254a076677f185fa6b54082280096bcd1ff69d62ef5109122ce4f08135bca36632da97ff1e802056ef0512a53805dff34b64f7
-
SSDEEP
12288:L7lw1DxCp0YUfX9F59l3N8aF7ysgfBnnl2JK:L7m1DjFDl3maF7ysgpnncU
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df0ecc5cec9ab536e7ca5c5e0670cd0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df0ecc5cec9ab536e7ca5c5e0670cd0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exe -install -3062240 -dcu -8db60d2eefd841818f5a2955d369a5bd - -hu -vfnocrmsugwpkyrz -2622502⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=3062240&appname=[APPNAME]&cbstate=&uid=94fd9dcc-171a-489c-b32e-632ad6a3f995&sid=8db60d2eefd841818f5a2955d369a5bd&scid=&source=hu&language=en-cl&cdata=utyp-31.userid-333732323333393431306239383531393866393238333735.ua-66697265666f782e6578653⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=3062240&appname=[APPNAME]&cbstate=&uid=94fd9dcc-171a-489c-b32e-632ad6a3f995&sid=8db60d2eefd841818f5a2955d369a5bd&scid=&source=hu&language=en-cl&cdata=utyp-31.userid-333732323333393431306239383531393866393238333735.ua-66697265666f782e6578654⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c79d5398-1a1f-4849-87df-db532f43999b} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae32227-8cb9-4d48-b100-5e51abeab3d5} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" socket5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1580 -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 1576 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6c4b3af-838d-458f-b618-43ef1b2b8227} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 2748 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69d267c5-18ff-483f-b534-d200429f8f1e} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4664 -prefMapHandle 4660 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32f2a873-b115-481b-800a-b4b827d59864} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" utility5⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5248 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec4c7aba-03cd-4cbe-9aab-a3f1affd0cbc} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5288 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {018afeec-c2c8-4e38-adfb-6d6752e31e32} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0925c8e7-e88f-44cd-8672-690c7c64b9c0} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -childID 6 -isForBrowser -prefsHandle 3568 -prefMapHandle 5948 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a479b211-a11c-49a6-9331-899057d237ce} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5d3ed8817cbe96ec605955b5226ff989e
SHA11034193e72bc5bab15a7138f7fb7eb2e9df4dd09
SHA256619a98ed331fc3aafb1c96f5f6aa328a770425c6c3b0d6c0c59bd4d5b053d7b7
SHA512225a6c173cde6e978ad551cdb2a9771175e34ef1c3833da521fd9aabdf422c239e48f3e5745528aa9d7ed91258afcd74e91f9f2e6557f84022ba238587c86a16
-
Filesize
13KB
MD5815ddd3f9b3ed9fc6e900ab958386a89
SHA1c02d87918e3b3eddacb8043cf71ad17f6a1102ce
SHA256c2b924847a0427bf61852fed286b38d579794474b58490875381c3b6f800a181
SHA5122b9ffeebd0215904af038df8446194d94f2f8f88a37922965636017e2d63550d39e5fcb2f4c3f2333ce471fe742bf85ee5c3b7e576e50e149c7b1c332c380235
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
292KB
MD50f152d15cd6845999b6fe329e87ca52b
SHA134bcde11a22683ec42f88cf11a55df978a1ca53b
SHA2566b0c155bd3f1129d78dc8e076841211963d05f0ec41db5fbbe28199531f611b2
SHA512966f9388dfc106b1e2aed752ec3b2003ed9dc3371098a349232e9aaa47e7e1a58cbba3a85d95334511ebfebe3a14a4429bb354106de72a592c1b8462ca005a5a
-
Filesize
91B
MD5d5168a5e3a4d744e02302879bbe2cb20
SHA1127e74df41b164e98d026899577d4add5f03a6f6
SHA256b427aa39d43395081527785cf8501ed58037e5fd48961ef4c2deec71026705e4
SHA5120f9e306b13b152b72596eeac5b793309e43279a87249bc25c83458fd69dfe128014827cee541d78382d00c42d39ccde68d6e40ebd5e4a06ce3d6a2f7aaf3ef6f
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD59391bdfcbc78003392d2d1fb50664aa7
SHA1210d5906d4c907b063a54f56768210cab28a9877
SHA256e83e659589d93a0018f5b92f532fec3e8187d95a888e341cc78310b565b00f82
SHA512f1d581826e6fce2a8970889cf617ba63e4630f34088c91d1e0b8074e3211e28741363817af718390e307979e568392e5ea2ebe951b59c972f2eb3b2b6496e839
-
Filesize
8KB
MD503d78d5c538579ef8967edab364f1b14
SHA141b5c2c0470435c1b9b546ecd53383310a59106c
SHA25674c6f30058e0d2e6d64882aad95c45fe1bc817b0921a805750ba66ae02abf689
SHA51245560e82e73afd15202871858fafd73e70005beceaf29e18d731292019859bc3068471002a8be8917096ccbab73cb9d2f1616854de5af1f10dd182faf37df8f8
-
Filesize
5KB
MD5e04b9fd3b98bed5c01755293c7e2aa64
SHA1e23012576d42210b12a0df512477e5d04d1d48d5
SHA256916105393a1c4d03e0a810b622c7081a5e53cda035cbe31429c7d6bc12bcc29a
SHA51230d21fb494c3ffda86ad33c6d1acbfb7813b36c1192f39292b6995e3879a14252512d23551a115713236adcf39cfd45418934b41fc9e4c73fa6b8011a9ce3aa7
-
Filesize
6KB
MD57c1181b0110d61f8068f891d693e79a3
SHA1f68f9fab1efc182871ce5a113f6386f707cb30f8
SHA256982454dcd0d7730ef2d18916041e7f01ebb4b8cf89d9802b7a7b19575f8e7261
SHA51238f6e7617b46266f8348cf847a48af9f068576bc7e9f163e7030f0548b8b4c0ab26063297e5ee25f0b71ee3aa54d43d94259ef43420fe012d3338a28ef1ce99d
-
Filesize
671B
MD591f4c445e0ff4ee9ffdabd8315c68016
SHA147958ebcc408c1c02d9c3e56e0aa6c3201d4570f
SHA256ba36e0c5787d6a5109187aaf00c7e1c020650e6f0741e68d8f3ddbcaab8f3a5f
SHA51234f1ae19c2eabd9e810a4854accb1fe1f4170c49c9f73cedff64dbefad8da27e54596270ea4fd95cd798f7ec27b1e19257f3e70235d291b26ad95857eeed1275
-
Filesize
27KB
MD55166e989341c5a7061c115e38d94ff68
SHA1f2b5f9461a1e7b72310538a1e7227ff566394fa1
SHA2565f191b0b3b382890e472b09931d9e5c4c4a348adc012e88d7ea859bc230f66f1
SHA5128335978acb70e8ad739c3f35bcb2f35a8ceefcc3106bb4d1c12c1df149627d22a99189aa6f23bff790adaef3706649eeb46797099665cbde420331e107b6c5bf
-
Filesize
982B
MD571f94895c41ee68ffa62d5cc43230ab1
SHA1f6eaaedf982ef521bc7e07a74603d644671d587a
SHA256242cd06fe9f23f95461aa318d8298a88ca40fa76e3f468437f50c80e3f940a1e
SHA512455d6f0affbe8aa2fb986ed9e69217e7485305ef588aa78b6b1b7ad28956b74a1862bb1ffdd89cb01e09e53705781112e9742e35db547573047eaf922b54bb36
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD546173b83038234c8b93404bda6064679
SHA1e821fac6acb0e98c8ddee4ebda84658595204261
SHA25692c0536a6e3b4af2db0d640991c498b9d404a406bfcda7cb8aa7bddc4842afd6
SHA512c24eb83b176354e6818c01f1bc9ba9f6cb57bf0459068392d9c90e412f91bc88ff0b589b9ea16a94e22700799c3c8bed9d60124994253343fa1271c974384f80
-
Filesize
11KB
MD551b2ebf85870b0045b8e885fc7d2ffb0
SHA129dc3d6bd1e2b80490d21c0fe575f828a4829010
SHA256c29f9782816c4ad7ee10d0cd992da1825e5319182b547aabc0efb71ed0435169
SHA512282e598d86068de8d330871d2cb146a109cc6af7f70465c7f16bc66a657a8fc4938e4fb015cfb3a5c91ee17694b065451e4cb5619a439654d13c640a5250fb1f
-
Filesize
10KB
MD5f67bf8b2964c67e560368ecd53418ea6
SHA1884c3385376af30fe3062e6b38ea0ee985b2d7e2
SHA256ca8f65d5340eabdb7372add9639c7fa79515ac5ef2ff0ad00f9b0ab30cfe5d2b
SHA512d283a43a489065802df6b5bae0283f50a697299526c46214bb38d77cf47bebf78636f780bbf070da93ec7d2bcd957073276bb48efa40dbc02ec263a23c9d8033
-
Filesize
10KB
MD524e0d61d828bc0f2debf3a78f3a3b378
SHA1032b9bfc4407f4b3fccc467f9a88d17224bbbc7e
SHA2561b2e2778b8b38971b09c8e69b5fa1071071a843438e67b557c278027e0d0f39a
SHA512ef90084a06f7431e64e7a4e34b415f9af17316980b0c88d43324c3beca1c451f778a68180e5aae2cce5c865fee4f4d5a3414c433774c068bde261a37dc1e40a2
-
Filesize
1KB
MD5ae9a94c5f51194828199f94a1589c64d
SHA1679fc0f8d3014a8467a40974d163061753546ab7
SHA256f100038693c6d7562082d33a3c885f6983de70a76298349d0bb17aaefad3d1e8
SHA5121bb9fe4cf282d6ef08dc60ec34399c9d7bf84d98930c9d012e8fdddc36c06d4d20be24c74f23a5b571a68859c3f3427dace1883b65d5578fc70ed4c2f1e71d05
-
Filesize
1KB
MD5bf6af702eb20383843d4a20e53ef3bed
SHA18ca02a2dbe981da7dedab3af1896efb0d9cf1681
SHA256fee1f62dab059854eb8f06c99d5f467e9acd5d2edd7d1248d032b8ff7078378b
SHA512854d1d913b18fe6caea47d0b30a1758a7f570cf33c8cd9e84b3f21606b03c45965cb9ff00cde8a4626dec77af26d6491ed1be3c5e2b2870b6c75f52117cfb6c4
-
Filesize
1.2MB
MD575492de1665e6824e3f3fe3c33475da8
SHA1ff9b0083844e471fafbd1bc776a3dbb71b34ac6c
SHA25645bcdc5a37425762d941ee33ece965188685b3f93a5961727c5c4e3d91120165
SHA5120aac8eaf7a380eb3db5f412686b99b18291038f6c97f5b59d4d80f78301b130904f98e6972d4441afbef66e6f03bb4191f74596ecb886e2a344a7258efb5440f
-
Filesize
1.9MB
MD5bcb6e198046ddf9df658d5a52f96529f
SHA17cd571e40f2379337f2df00561ce2771edb3dc9d
SHA256b8411044b12acf9aa23ddf67822057074fc4115be5fc649906ca8785b74b6a36
SHA5123faaaf5bb283cb2d17ede736d22246ff58ffb59cee14ceafe6efde097ffb846100a38ed9acff1dd1bad1f46235db979a906976ce402297bbc9ac48c79a65b90d
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
664KB