Malware Analysis Report

2025-04-14 05:11

Sample ID 250112-l2n4aszphm
Target JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64
SHA256 672083ab81b115705354d6264336bd0b879848087933cd603231c7850671c2e7
Tags
stealer revengerat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

672083ab81b115705354d6264336bd0b879848087933cd603231c7850671c2e7

Threat Level: Known bad

The file JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat

RevengeRat Executable

Revengerat family

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-12 10:01

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-12 10:01

Reported

2025-01-12 10:04

Platform

win7-20240903-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5acdf4a3.linkbucks.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 95.101.134.51:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FR 104.80.22.51:80 www.microsoft.com tcp
US 8.8.8.8:53 5acdf4a3.linkbucks.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.187.196:80 www.google.com tcp

Files

memory/2544-0-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

memory/2544-1-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-2-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-3-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

memory/2544-5-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-6-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-7-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-8-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-9-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-10-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-44-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2544-47-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\api[1].js

MD5 959fca740c230726e5a7cdf2b7603468
SHA1 1fa3eb9690cb728a4ba96846bd8eac87fa914073
SHA256 1a7a8da967879cf8c53e114c331242c5d44c39d4b4778a0824bc2f363504c3a5
SHA512 c493d157fdb40ca20752cd7419c3bf837c12831ef05d0d3e41844e17fc99096d1a7429adaa58ade3eb99aa5e5ce4ad91af8ef7c25f36c7e69f341ad0f2e88e86

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\recaptcha__en[1].js

MD5 19ddac3be88eda2c8263c5d52fa7f6bd
SHA1 c81720778f57c56244c72ce6ef402bb4de5f9619
SHA256 b261530f05e272e18b5b5c86d860c4979c82b5b6c538e1643b3c94fc9ba76dd6
SHA512 393015b8c7f14d5d4bdb9cceed7cd1477a7db07bc7c40bae7d0a48a2adfa7d56f9d1c3e4ec05c92fde152e72ffa6b75d8bf724e1f63f9bc21421125667afb05c

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-12 10:01

Reported

2025-01-12 10:04

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bdf47eab689f6d7cf23f64fb06fac64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 5acdf4a3.linkbucks.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1496-0-0x00007FFE58365000-0x00007FFE58366000-memory.dmp

memory/1496-1-0x000000001B910000-0x000000001B9B6000-memory.dmp

memory/1496-2-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-3-0x000000001BE90000-0x000000001C35E000-memory.dmp

memory/1496-4-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-5-0x000000001C400000-0x000000001C49C000-memory.dmp

memory/1496-6-0x0000000001240000-0x0000000001248000-memory.dmp

memory/1496-7-0x000000001C550000-0x000000001C59C000-memory.dmp

memory/1496-8-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-9-0x00007FFE58365000-0x00007FFE58366000-memory.dmp

memory/1496-10-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-11-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-12-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-13-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-14-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-15-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-28-0x000000001F9E0000-0x0000000021057000-memory.dmp

memory/1496-29-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/1496-30-0x000000001F9E0000-0x0000000021057000-memory.dmp

memory/1496-31-0x000000001F9E0000-0x0000000021057000-memory.dmp

memory/1496-32-0x000000001F9E0000-0x0000000021057000-memory.dmp

memory/1496-33-0x000000001F9E0000-0x0000000021057000-memory.dmp

memory/1496-34-0x000000001F9E0000-0x0000000021057000-memory.dmp

memory/1496-35-0x000000001F9E0000-0x0000000021057000-memory.dmp