Malware Analysis Report

2025-04-14 05:12

Sample ID 250106-s99hjazrcy
Target JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0
SHA256 040c253f17159291ca14147125f84e8bd30c5c55fe85f154a19b9f94cf0f6d2a
Tags
revengerat limerevenge trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

040c253f17159291ca14147125f84e8bd30c5c55fe85f154a19b9f94cf0f6d2a

Threat Level: Known bad

The file JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0 was found to be: Known bad.

Malicious Activity Summary

revengerat limerevenge trojan

RevengeRAT

Revengerat family

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-06 15:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-06 15:50

Reported

2025-01-06 15:53

Platform

win7-20240903-en

Max time kernel

118s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\‌svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\‌svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\‌svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe"

C:\Windows\system32\schtasks.exe

schtasks /run /TN Update

C:\Windows\system32\taskeng.exe

taskeng.exe {8707DB0C-97EF-4E8F-A5D4-1A3F9CF3912D} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\Windows\System32\‌svchost.exe

C:\Windows\System32\‌svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp

Files

memory/2180-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

memory/2180-1-0x0000000000C50000-0x0000000000CB6000-memory.dmp

C:\Windows\System32\‌svchost.exe

MD5 305822928b102332ae60d12f02da1c41
SHA1 160a161ca694a7e92d541de2210e5a361171afc8
SHA256 05ba26277038082045e06c102ae5ca998339f20de977c726f06deae857b3408f
SHA512 c5cbf3459c14a78cd99c47db627f4d3ced418650956ae3293e6f02f9e40a4850fa8566497286f8abe0a94fcaf2f91e8a31bf5b6ece9d05d2e9d3858379381981

memory/2524-5-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp

memory/2524-6-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

memory/2524-7-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

memory/2524-8-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

memory/2524-9-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-06 15:50

Reported

2025-01-06 15:53

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\‌svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\‌svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\‌svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5c01af4c821c358cbb0e00cfcae4b0.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /run /TN Update

C:\Windows\System32\‌svchost.exe

C:\Windows\System32\‌svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp

Files

memory/4592-0-0x00007FFC53833000-0x00007FFC53835000-memory.dmp

memory/4592-1-0x00000000009B0000-0x0000000000A16000-memory.dmp

C:\Windows\System32\‌svchost.exe

MD5 305822928b102332ae60d12f02da1c41
SHA1 160a161ca694a7e92d541de2210e5a361171afc8
SHA256 05ba26277038082045e06c102ae5ca998339f20de977c726f06deae857b3408f
SHA512 c5cbf3459c14a78cd99c47db627f4d3ced418650956ae3293e6f02f9e40a4850fa8566497286f8abe0a94fcaf2f91e8a31bf5b6ece9d05d2e9d3858379381981

memory/1752-6-0x00007FFC53C05000-0x00007FFC53C06000-memory.dmp

memory/1752-7-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

memory/1752-8-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp

memory/1752-9-0x000000001C410000-0x000000001C8DE000-memory.dmp

memory/1752-10-0x000000001C990000-0x000000001CA36000-memory.dmp

memory/1752-11-0x000000001D130000-0x000000001D192000-memory.dmp

memory/1752-12-0x00007FFC53C05000-0x00007FFC53C06000-memory.dmp

memory/1752-13-0x00007FFC53950000-0x00007FFC542F1000-memory.dmp