revengerat | 5da2b86d941d0c24e21a5a49f1a6764dc73096a5f5e2128f05581147e7b548e7

Analysis

max time kernel
140s
max time network
47s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe
Size

60KB
MD5

91104d8f4ecd179a4ed5432d892756db
SHA1

39e745d84e1d6bcad456730a22ea6f8ce52192ba
SHA256

5da2b86d941d0c24e21a5a49f1a6764dc73096a5f5e2128f05581147e7b548e7
SHA512

e4ba79056502b0f8c0966bd12ef0dab8e56009623f888f034d24fc85323f091e571cdf3bbc8e46c401e2a33a231190e2b4a00ae50171a47afd00067028389167
SSDEEP

1536:6FIKcG3XCvYtGq2gkXp1z7r5bjzjFnpVjyl+:6FIE3Cyh2th7NL1jq+

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00360000000194ef-44.dat	revengerat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2296 set thread context of 2812	2296	CasPol.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe
Token: SeDebugPrivilege	2296	CasPol.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2508	AcroRd32.exe
2508	AcroRd32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2336 wrote to memory of 2296	2336	JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe	29
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2812	2296	CasPol.exe	30
PID 2296 wrote to memory of 2044	2296	CasPol.exe	32
PID 2296 wrote to memory of 2044	2296	CasPol.exe	32
PID 2296 wrote to memory of 2044	2296	CasPol.exe	32
PID 2296 wrote to memory of 2044	2296	CasPol.exe	32
PID 2296 wrote to memory of 2044	2296	CasPol.exe	32
PID 2296 wrote to memory of 2044	2296	CasPol.exe	32
PID 2296 wrote to memory of 2044	2296	CasPol.exe	32
PID 2044 wrote to memory of 2508	2044	rundll32.exe	33
PID 2044 wrote to memory of 2508	2044	rundll32.exe	33
PID 2044 wrote to memory of 2508	2044	rundll32.exe	33
PID 2044 wrote to memory of 2508	2044	rundll32.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Casspol
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Casspol"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hwiejYAoBL.txt

Filesize
84B

MD5
80b8964f9daa5fb1ff283bb95aea723b

SHA1
9da3c3251d8a16073416f8d7383fda4368d0c2eb

SHA256
b29a91b2f873bea7971caf95fcb7a6f795e89d87408d915df62c51aff40c423c

SHA512
b735f87723a17e73cfdc1215090c6ce56a6c56c869bceb7f8b4e2951d5f87721c3b371d9fbd10fc1488742ffa47981293d184ba66a3ec68ac922dc627b3eb0ad

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
05de1f33e8b6ede44c79d2c4d77d9486

SHA1
57d10c908e4d8540546021b351d596487b7303c9

SHA256
10f8dc456414dbc6024bd21af46e8c2e6e623f89b8730b7ec178b4f4a3503a8b

SHA512
fe8fa63d28aeb56aed94e5bb87650d488696ff32dc5cf245201d35333263440c73c61f9f89378bab35df7eff99a0dc78ca434470c20d9ccef968e3a1a20b2d86

Download Submit
C:\Users\Admin\AppData\Roaming\Casspol

Filesize
60KB

MD5
91104d8f4ecd179a4ed5432d892756db

SHA1
39e745d84e1d6bcad456730a22ea6f8ce52192ba

SHA256
5da2b86d941d0c24e21a5a49f1a6764dc73096a5f5e2128f05581147e7b548e7

SHA512
e4ba79056502b0f8c0966bd12ef0dab8e56009623f888f034d24fc85323f091e571cdf3bbc8e46c401e2a33a231190e2b4a00ae50171a47afd00067028389167

Download Submit
memory/2296-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-36-0x0000000071750000-0x0000000071E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-43-0x0000000071750000-0x0000000071E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-39-0x0000000071750000-0x0000000071E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-20-0x000000007175E000-0x000000007175F000-memory.dmp

Filesize
4KB

Download
memory/2296-37-0x000000007175E000-0x000000007175F000-memory.dmp

Filesize
4KB

Download
memory/2296-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2336-19-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-1-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-2-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-0-0x0000000074581000-0x0000000074582000-memory.dmp

Filesize
4KB

Download
memory/2812-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-35-0x0000000071750000-0x0000000071E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-29-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-26-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-38-0x0000000071750000-0x0000000071E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-25-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-23-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-22-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download