Analysis Overview
SHA256
040c253f17159291ca14147125f84e8bd30c5c55fe85f154a19b9f94cf0f6d2a
Threat Level: Known bad
The file JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Revengerat family
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-06 15:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-06 15:50
Reported
2025-01-06 15:53
Platform
win7-20240903-en
Max time kernel
118s
Max time network
149s
Command Line
Signatures
RevengeRAT
Revengerat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe | C:\Windows\system32\schtasks.exe |
| PID 2180 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe | C:\Windows\system32\schtasks.exe |
| PID 2180 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe | C:\Windows\system32\schtasks.exe |
| PID 2320 wrote to memory of 2524 | N/A | C:\Windows\system32\taskeng.exe | C:\Windows\System32\svchost.exe |
| PID 2320 wrote to memory of 2524 | N/A | C:\Windows\system32\taskeng.exe | C:\Windows\System32\svchost.exe |
| PID 2320 wrote to memory of 2524 | N/A | C:\Windows\system32\taskeng.exe | C:\Windows\System32\svchost.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe"
C:\Windows\system32\schtasks.exe
schtasks /run /TN Update
C:\Windows\system32\taskeng.exe
taskeng.exe {8707DB0C-97EF-4E8F-A5D4-1A3F9CF3912D} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
Files
memory/2180-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp
memory/2180-1-0x0000000000C50000-0x0000000000CB6000-memory.dmp
C:\Windows\System32\svchost.exe
| MD5 | 305822928b102332ae60d12f02da1c41 |
| SHA1 | 160a161ca694a7e92d541de2210e5a361171afc8 |
| SHA256 | 05ba26277038082045e06c102ae5ca998339f20de977c726f06deae857b3408f |
| SHA512 | c5cbf3459c14a78cd99c47db627f4d3ced418650956ae3293e6f02f9e40a4850fa8566497286f8abe0a94fcaf2f91e8a31bf5b6ece9d05d2e9d3858379381981 |
memory/2524-5-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp
memory/2524-6-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp
memory/2524-7-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp
memory/2524-8-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp
memory/2524-9-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-06 15:50
Reported
2025-01-06 15:53
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
149s
Command Line
Signatures
RevengeRAT
Revengerat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4592 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4592 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /run /TN Update
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
Files
memory/4592-0-0x00007FFC53833000-0x00007FFC53835000-memory.dmp
memory/4592-1-0x00000000009B0000-0x0000000000A16000-memory.dmp
C:\Windows\System32\svchost.exe
| MD5 | 305822928b102332ae60d12f02da1c41 |
| SHA1 | 160a161ca694a7e92d541de2210e5a361171afc8 |
| SHA256 | 05ba26277038082045e06c102ae5ca998339f20de977c726f06deae857b3408f |
| SHA512 | c5cbf3459c14a78cd99c47db627f4d3ced418650956ae3293e6f02f9e40a4850fa8566497286f8abe0a94fcaf2f91e8a31bf5b6ece9d05d2e9d3858379381981 |
memory/1752-6-0x00007FFC53C05000-0x00007FFC53C06000-memory.dmp
memory/1752-7-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp
memory/1752-8-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp
memory/1752-9-0x000000001C410000-0x000000001C8DE000-memory.dmp
memory/1752-10-0x000000001C990000-0x000000001CA36000-memory.dmp
memory/1752-11-0x000000001D130000-0x000000001D192000-memory.dmp
memory/1752-12-0x00007FFC53C05000-0x00007FFC53C06000-memory.dmp
memory/1752-13-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp