Malware Analysis Report

2025-04-14 05:11

Sample ID 250110-qsx23axpap
Target JaffaCakes118_e5815370f9ee53658b44517b23d1b50f
SHA256 51c7f171a9d281863968bbb23445398d9a2285a094b8d204d5ac2efda7e23738
Tags
revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51c7f171a9d281863968bbb23445398d9a2285a094b8d204d5ac2efda7e23738

Threat Level: Known bad

The file JaffaCakes118_e5815370f9ee53658b44517b23d1b50f was found to be: Known bad.

Malicious Activity Summary

revengerat trojan

RevengeRAT

Revengerat family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-01-10 13:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-10 13:32

Reported

2025-01-10 13:34

Platform

win7-20241023-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp

Files

memory/2604-0-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

memory/2604-1-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/2604-2-0x0000000000260000-0x0000000000268000-memory.dmp

memory/2604-3-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

memory/2604-4-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

memory/2604-5-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

memory/2604-6-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-10 13:32

Reported

2025-01-10 13:34

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5815370f9ee53658b44517b23d1b50f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 127.0.0.1:1010 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.16.105:1010 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:1010 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 192.168.16.105:1010 tcp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
N/A 127.0.0.1:1010 tcp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
N/A 192.168.16.105:1010 tcp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
N/A 127.0.0.1:1010 tcp
N/A 192.168.16.105:1010 tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/1512-0-0x00007FF849E15000-0x00007FF849E16000-memory.dmp

memory/1512-1-0x00007FF849B60000-0x00007FF84A501000-memory.dmp

memory/1512-2-0x0000000000C00000-0x0000000000C06000-memory.dmp

memory/1512-3-0x00007FF849B60000-0x00007FF84A501000-memory.dmp

memory/1512-4-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

memory/1512-5-0x000000001BC40000-0x000000001C10E000-memory.dmp

memory/1512-6-0x000000001C110000-0x000000001C1B6000-memory.dmp

memory/1512-7-0x000000001C1C0000-0x000000001C222000-memory.dmp

memory/1512-8-0x00007FF849E15000-0x00007FF849E16000-memory.dmp

memory/1512-9-0x00007FF849B60000-0x00007FF84A501000-memory.dmp