Analysis Overview
SHA256
672083ab81b115705354d6264336bd0b879848087933cd603231c7850671c2e7
Threat Level: Known bad
The file JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64 was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-12 10:01
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-12 10:01
Reported
2025-01-12 10:04
Platform
win7-20240903-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5acdf4a3.linkbucks.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| FR | 95.101.134.51:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 104.80.22.51:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 5acdf4a3.linkbucks.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
Files
memory/2544-0-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp
memory/2544-1-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-2-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-3-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp
memory/2544-5-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-6-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-7-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-8-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-9-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-10-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-44-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2544-47-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\api[1].js
| MD5 | 959fca740c230726e5a7cdf2b7603468 |
| SHA1 | 1fa3eb9690cb728a4ba96846bd8eac87fa914073 |
| SHA256 | 1a7a8da967879cf8c53e114c331242c5d44c39d4b4778a0824bc2f363504c3a5 |
| SHA512 | c493d157fdb40ca20752cd7419c3bf837c12831ef05d0d3e41844e17fc99096d1a7429adaa58ade3eb99aa5e5ce4ad91af8ef7c25f36c7e69f341ad0f2e88e86 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\recaptcha__en[1].js
| MD5 | 19ddac3be88eda2c8263c5d52fa7f6bd |
| SHA1 | c81720778f57c56244c72ce6ef402bb4de5f9619 |
| SHA256 | b261530f05e272e18b5b5c86d860c4979c82b5b6c538e1643b3c94fc9ba76dd6 |
| SHA512 | 393015b8c7f14d5d4bdb9cceed7cd1477a7db07bc7c40bae7d0a48a2adfa7d56f9d1c3e4ec05c92fde152e72ffa6b75d8bf724e1f63f9bc21421125667afb05c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-12 10:01
Reported
2025-01-12 10:04
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
95s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.50.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.50.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5acdf4a3.linkbucks.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1496-0-0x00007FFE58365000-0x00007FFE58366000-memory.dmp
memory/1496-1-0x000000001B910000-0x000000001B9B6000-memory.dmp
memory/1496-2-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-3-0x000000001BE90000-0x000000001C35E000-memory.dmp
memory/1496-4-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-5-0x000000001C400000-0x000000001C49C000-memory.dmp
memory/1496-6-0x0000000001240000-0x0000000001248000-memory.dmp
memory/1496-7-0x000000001C550000-0x000000001C59C000-memory.dmp
memory/1496-8-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-9-0x00007FFE58365000-0x00007FFE58366000-memory.dmp
memory/1496-10-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-11-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-12-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-13-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-14-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-15-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-28-0x000000001F9E0000-0x0000000021057000-memory.dmp
memory/1496-29-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/1496-30-0x000000001F9E0000-0x0000000021057000-memory.dmp
memory/1496-31-0x000000001F9E0000-0x0000000021057000-memory.dmp
memory/1496-32-0x000000001F9E0000-0x0000000021057000-memory.dmp
memory/1496-33-0x000000001F9E0000-0x0000000021057000-memory.dmp
memory/1496-34-0x000000001F9E0000-0x0000000021057000-memory.dmp
memory/1496-35-0x000000001F9E0000-0x0000000021057000-memory.dmp