Malware Analysis Report

2025-04-14 05:10

Sample ID 250107-akrx3svnev
Target JaffaCakes118_42916268bf063c2b532745b214949739
SHA256 7eaeb97de5e37298a1c29e4877a28fc2a60682a4abb0fda2e95f36b4fa337284
Tags
stealer revengerat discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7eaeb97de5e37298a1c29e4877a28fc2a60682a4abb0fda2e95f36b4fa337284

Threat Level: Known bad

The file JaffaCakes118_42916268bf063c2b532745b214949739 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat discovery persistence trojan

Revengerat family

RevengeRAT

RevengeRat Executable

RevengeRat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-07 00:16

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-07 00:16

Reported

2025-01-07 00:34

Platform

win7-20240903-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Course = "C:\\Users\\Admin\\AppData\\Roaming\\Courses.exe" C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe"

C:\Users\Admin\AppData\Roaming\Courses.exe

"C:\Users\Admin\AppData\Roaming\Courses.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jokerjoker2022.ddns.net udp

Files

memory/2716-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

memory/2716-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/2716-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/2716-3-0x0000000074B40000-0x00000000750EB000-memory.dmp

\Users\Admin\AppData\Roaming\Courses.exe

MD5 42916268bf063c2b532745b214949739
SHA1 9452606f66285f30adbf60daa5cb7d742a63f7c3
SHA256 7eaeb97de5e37298a1c29e4877a28fc2a60682a4abb0fda2e95f36b4fa337284
SHA512 b408882394950b7ea3d596093daa15e867c066a5e38d0de08e4e25ed5c3896e5d19e29f898dd8227982897cb1fefb5c451a42f3da7e0340873dc49ae4acc2907

memory/2716-14-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/3008-15-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/3008-16-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/3008-17-0x0000000074B40000-0x00000000750EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-07 00:16

Reported

2025-01-07 00:33

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Course = "C:\\Users\\Admin\\AppData\\Roaming\\Courses.exe" C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42916268bf063c2b532745b214949739.exe"

C:\Users\Admin\AppData\Roaming\Courses.exe

"C:\Users\Admin\AppData\Roaming\Courses.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp

Files

memory/5040-0-0x0000000074A92000-0x0000000074A93000-memory.dmp

memory/5040-1-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/5040-2-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/5040-3-0x0000000074A92000-0x0000000074A93000-memory.dmp

memory/5040-4-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/5040-5-0x0000000074A90000-0x0000000075041000-memory.dmp

C:\Users\Admin\AppData\Roaming\Courses.exe

MD5 42916268bf063c2b532745b214949739
SHA1 9452606f66285f30adbf60daa5cb7d742a63f7c3
SHA256 7eaeb97de5e37298a1c29e4877a28fc2a60682a4abb0fda2e95f36b4fa337284
SHA512 b408882394950b7ea3d596093daa15e867c066a5e38d0de08e4e25ed5c3896e5d19e29f898dd8227982897cb1fefb5c451a42f3da7e0340873dc49ae4acc2907

memory/1480-16-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/5040-15-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/1480-17-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/1480-18-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/1480-19-0x0000000074A90000-0x0000000075041000-memory.dmp