Malware Analysis Report

2025-04-14 05:12

Sample ID 250107-j8nd8ssmey
Target JaffaCakes118_57c90614896ad66362ef89758a69cb74
SHA256 7476563d5dd9a2e6e3fd20dea60c7d94bc45915af8238a1272d1c91955022943
Tags
stealer revengerat discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7476563d5dd9a2e6e3fd20dea60c7d94bc45915af8238a1272d1c91955022943

Threat Level: Known bad

The file JaffaCakes118_57c90614896ad66362ef89758a69cb74 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat discovery persistence trojan

RevengeRat Executable

RevengeRAT

Revengerat family

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-07 08:20

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-07 08:20

Reported

2025-01-07 08:23

Platform

win7-20241010-en

Max time kernel

148s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3733625948.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Course = "C:\\Users\\Admin\\AppData\\Roaming\\Courses.exe" C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3733625948.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe"

C:\Users\Admin\AppData\Roaming\Courses.exe

"C:\Users\Admin\AppData\Roaming\Courses.exe"

C:\Users\Admin\AppData\Local\Temp\3733625948.exe

"C:\Users\Admin\AppData\Local\Temp\3733625948.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jokerjoker2022.ddns.net udp

Files

memory/2448-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

memory/2448-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/2448-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/2448-3-0x00000000746A0000-0x0000000074C4B000-memory.dmp

\Users\Admin\AppData\Roaming\Courses.exe

MD5 57c90614896ad66362ef89758a69cb74
SHA1 589c99e63d6e2493b39a5154df74298bf8d9181b
SHA256 7476563d5dd9a2e6e3fd20dea60c7d94bc45915af8238a1272d1c91955022943
SHA512 d78e3925c5100f7d28d6d681119ed6e43324e36f79ca495f7f5f5d50367afc18e53c51dbe50a15e0a0191094045a9387969f80cc8488c7334005640e048b52fb

memory/2448-14-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/2636-15-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/2636-16-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/2636-17-0x00000000746A0000-0x0000000074C4B000-memory.dmp

\Users\Admin\AppData\Local\Temp\3733625948.exe

MD5 9e83fc421f54556e8346544016317cf5
SHA1 6bdb0fce8e014c34e9d9f03c8d650bacaf13ef64
SHA256 faa7a5f9a4fdc9e396cc6654b39ac01bf2c51bc73322e2ac11127137325e6bfa
SHA512 82cbbcb8ffc8c4b8498cb3280830ee73fa7f25bf07ae54d9cdf3f34198640093681c9a875e8df92f919c5185caae772f29f2a19341ed4b77a0f3291bfb440387

memory/2796-25-0x0000000000830000-0x0000000000880000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-07 08:20

Reported

2025-01-07 08:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3733625948.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Course = "C:\\Users\\Admin\\AppData\\Roaming\\Courses.exe" C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Courses.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3733625948.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Courses.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57c90614896ad66362ef89758a69cb74.exe"

C:\Users\Admin\AppData\Roaming\Courses.exe

"C:\Users\Admin\AppData\Roaming\Courses.exe"

C:\Users\Admin\AppData\Local\Temp\3733625948.exe

"C:\Users\Admin\AppData\Local\Temp\3733625948.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 jokerjoker2022.ddns.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/1804-0-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

memory/1804-1-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/1804-2-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/1804-3-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

memory/1804-4-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/1804-5-0x0000000074FA0000-0x0000000075551000-memory.dmp

C:\Users\Admin\AppData\Roaming\Courses.exe

MD5 57c90614896ad66362ef89758a69cb74
SHA1 589c99e63d6e2493b39a5154df74298bf8d9181b
SHA256 7476563d5dd9a2e6e3fd20dea60c7d94bc45915af8238a1272d1c91955022943
SHA512 d78e3925c5100f7d28d6d681119ed6e43324e36f79ca495f7f5f5d50367afc18e53c51dbe50a15e0a0191094045a9387969f80cc8488c7334005640e048b52fb

memory/1804-19-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/2948-18-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/2948-20-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/2948-21-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/2948-22-0x0000000074FA0000-0x0000000075551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3733625948.exe

MD5 9e83fc421f54556e8346544016317cf5
SHA1 6bdb0fce8e014c34e9d9f03c8d650bacaf13ef64
SHA256 faa7a5f9a4fdc9e396cc6654b39ac01bf2c51bc73322e2ac11127137325e6bfa
SHA512 82cbbcb8ffc8c4b8498cb3280830ee73fa7f25bf07ae54d9cdf3f34198640093681c9a875e8df92f919c5185caae772f29f2a19341ed4b77a0f3291bfb440387

memory/1416-34-0x0000000071B1E000-0x0000000071B1F000-memory.dmp

memory/1416-35-0x0000000000800000-0x0000000000850000-memory.dmp

memory/1416-36-0x00000000050C0000-0x000000000515C000-memory.dmp

memory/1416-37-0x0000000005760000-0x0000000005D04000-memory.dmp

memory/1416-38-0x0000000005250000-0x00000000052E2000-memory.dmp

memory/1416-39-0x0000000005190000-0x000000000519A000-memory.dmp

memory/1416-41-0x00000000054A0000-0x00000000054F6000-memory.dmp

memory/1416-40-0x0000000071B10000-0x00000000722C0000-memory.dmp

memory/1416-42-0x0000000071B1E000-0x0000000071B1F000-memory.dmp

memory/1416-43-0x0000000071B10000-0x00000000722C0000-memory.dmp