Analysis Overview
SHA256
5da2b86d941d0c24e21a5a49f1a6764dc73096a5f5e2128f05581147e7b548e7
Threat Level: Known bad
The file JaffaCakes118_91104d8f4ecd179a4ed5432d892756db was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Revengerat family
RevengeRat Executable
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-08 06:43
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-08 06:43
Reported
2025-01-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1868 set thread context of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 5096 set thread context of 4784 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:5959 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| GB | 31.52.239.206:5959 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:5959 | tcp | |
| GB | 31.52.239.206:5959 | tcp | |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1868-0-0x0000000075012000-0x0000000075013000-memory.dmp
memory/1868-1-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/1868-2-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/5096-4-0x0000000000400000-0x0000000000416000-memory.dmp
memory/5096-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1868-7-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/5096-8-0x0000000072DDE000-0x0000000072DDF000-memory.dmp
memory/5096-9-0x0000000005750000-0x00000000057EC000-memory.dmp
memory/5096-10-0x0000000005DA0000-0x0000000006344000-memory.dmp
memory/5096-11-0x0000000005860000-0x00000000058C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hwiejYAoBL.txt
| MD5 | 80b8964f9daa5fb1ff283bb95aea723b |
| SHA1 | 9da3c3251d8a16073416f8d7383fda4368d0c2eb |
| SHA256 | b29a91b2f873bea7971caf95fcb7a6f795e89d87408d915df62c51aff40c423c |
| SHA512 | b735f87723a17e73cfdc1215090c6ce56a6c56c869bceb7f8b4e2951d5f87721c3b371d9fbd10fc1488742ffa47981293d184ba66a3ec68ac922dc627b3eb0ad |
memory/4784-12-0x0000000000400000-0x000000000041C000-memory.dmp
memory/4784-15-0x0000000072DD0000-0x0000000073580000-memory.dmp
memory/5096-16-0x0000000006590000-0x0000000006622000-memory.dmp
memory/5096-17-0x0000000072DD0000-0x0000000073580000-memory.dmp
memory/5096-18-0x0000000072DDE000-0x0000000072DDF000-memory.dmp
memory/4784-19-0x0000000072DD0000-0x0000000073580000-memory.dmp
memory/5096-20-0x0000000072DD0000-0x0000000073580000-memory.dmp
C:\Users\Admin\AppData\Roaming\Casspol
| MD5 | 91104d8f4ecd179a4ed5432d892756db |
| SHA1 | 39e745d84e1d6bcad456730a22ea6f8ce52192ba |
| SHA256 | 5da2b86d941d0c24e21a5a49f1a6764dc73096a5f5e2128f05581147e7b548e7 |
| SHA512 | e4ba79056502b0f8c0966bd12ef0dab8e56009623f888f034d24fc85323f091e571cdf3bbc8e46c401e2a33a231190e2b4a00ae50171a47afd00067028389167 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CasPol.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
memory/5096-28-0x0000000072DD0000-0x0000000073580000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-08 06:43
Reported
2025-01-08 06:46
Platform
win7-20240729-en
Max time kernel
140s
Max time network
47s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2336 set thread context of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 2296 set thread context of 2812 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell\Read | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell\Read\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\_auto_file\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91104d8f4ecd179a4ed5432d892756db.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Casspol
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Casspol"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5959 | tcp | |
| GB | 31.52.239.206:5959 | tcp | |
| N/A | 127.0.0.1:5959 | tcp | |
| GB | 31.52.239.206:5959 | tcp |
Files
memory/2336-0-0x0000000074581000-0x0000000074582000-memory.dmp
memory/2336-1-0x0000000074580000-0x0000000074B2B000-memory.dmp
memory/2336-2-0x0000000074580000-0x0000000074B2B000-memory.dmp
memory/2296-4-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2296-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2296-16-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2296-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2296-18-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2336-19-0x0000000074580000-0x0000000074B2B000-memory.dmp
memory/2296-12-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2296-10-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2296-8-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2296-20-0x000000007175E000-0x000000007175F000-memory.dmp
memory/2812-26-0x0000000000400000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hwiejYAoBL.txt
| MD5 | 80b8964f9daa5fb1ff283bb95aea723b |
| SHA1 | 9da3c3251d8a16073416f8d7383fda4368d0c2eb |
| SHA256 | b29a91b2f873bea7971caf95fcb7a6f795e89d87408d915df62c51aff40c423c |
| SHA512 | b735f87723a17e73cfdc1215090c6ce56a6c56c869bceb7f8b4e2951d5f87721c3b371d9fbd10fc1488742ffa47981293d184ba66a3ec68ac922dc627b3eb0ad |
memory/2812-29-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2812-25-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2812-22-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2812-23-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2812-34-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2812-32-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2812-35-0x0000000071750000-0x0000000071E3E000-memory.dmp
memory/2296-36-0x0000000071750000-0x0000000071E3E000-memory.dmp
memory/2296-37-0x000000007175E000-0x000000007175F000-memory.dmp
memory/2812-38-0x0000000071750000-0x0000000071E3E000-memory.dmp
memory/2296-39-0x0000000071750000-0x0000000071E3E000-memory.dmp
memory/2296-43-0x0000000071750000-0x0000000071E3E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Casspol
| MD5 | 91104d8f4ecd179a4ed5432d892756db |
| SHA1 | 39e745d84e1d6bcad456730a22ea6f8ce52192ba |
| SHA256 | 5da2b86d941d0c24e21a5a49f1a6764dc73096a5f5e2128f05581147e7b548e7 |
| SHA512 | e4ba79056502b0f8c0966bd12ef0dab8e56009623f888f034d24fc85323f091e571cdf3bbc8e46c401e2a33a231190e2b4a00ae50171a47afd00067028389167 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 05de1f33e8b6ede44c79d2c4d77d9486 |
| SHA1 | 57d10c908e4d8540546021b351d596487b7303c9 |
| SHA256 | 10f8dc456414dbc6024bd21af46e8c2e6e623f89b8730b7ec178b4f4a3503a8b |
| SHA512 | fe8fa63d28aeb56aed94e5bb87650d488696ff32dc5cf245201d35333263440c73c61f9f89378bab35df7eff99a0dc78ca434470c20d9ccef968e3a1a20b2d86 |