Analysis Overview
SHA256
4de025b765e8509fe00fdbd927329480d23f5f6c2a3c2511c0dc8a438fbc7623
Threat Level: Known bad
The file JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958 was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
RevengeRAT
Revengerat family
RevengeRat Executable
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-16 18:19
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-16 18:19
Reported
2025-01-16 18:22
Platform
win7-20240903-en
Max time kernel
146s
Max time network
121s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\Firewall.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ComponentID = "Windows Firewall" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ = "Microsoft Windows" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1600 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe |
| PID 1600 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe |
| PID 1600 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe |
| PID 1600 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.com | udp |
| US | 172.66.43.169:80 | whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.40.87:443 | www.whatismyip.com | tcp |
| US | 172.66.40.87:443 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| NL | 74.125.128.109:587 | smtp.gmail.com | tcp |
Files
memory/1600-0-0x0000000074051000-0x0000000074052000-memory.dmp
memory/1600-1-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/1600-2-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/1600-3-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/1600-7-0x0000000074050000-0x00000000745FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Firewall\Firewall.exe
| MD5 | 7e63213f90d5916ee351c1b7c4a84958 |
| SHA1 | 6bc40e54159f8c07564c8d69da029f730c3386e4 |
| SHA256 | 4de025b765e8509fe00fdbd927329480d23f5f6c2a3c2511c0dc8a438fbc7623 |
| SHA512 | d796c3393df3a86d2281b14dd237c4fa1c2b986b279474d5dff05c09ab25a7c1976422eea25223ca0b78283775b5bb36fdf34764af24e267fb345513036f23a0 |
memory/2776-17-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/2776-18-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/2776-19-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/2776-20-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/1600-21-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/2776-22-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/2776-23-0x0000000074050000-0x00000000745FB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-16 18:19
Reported
2025-01-16 18:22
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
140s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\Firewall.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ComponentID = "Windows Firewall" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ = "Microsoft Windows" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 916 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe |
| PID 916 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe |
| PID 916 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.com | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 172.66.40.87:80 | whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.43.169:443 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| NL | 74.125.128.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | 87.40.66.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.43.66.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.128.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/916-0-0x0000000075402000-0x0000000075403000-memory.dmp
memory/916-1-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/916-2-0x0000000075400000-0x00000000759B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Firewall\Firewall.exe
| MD5 | 7e63213f90d5916ee351c1b7c4a84958 |
| SHA1 | 6bc40e54159f8c07564c8d69da029f730c3386e4 |
| SHA256 | 4de025b765e8509fe00fdbd927329480d23f5f6c2a3c2511c0dc8a438fbc7623 |
| SHA512 | d796c3393df3a86d2281b14dd237c4fa1c2b986b279474d5dff05c09ab25a7c1976422eea25223ca0b78283775b5bb36fdf34764af24e267fb345513036f23a0 |
memory/916-9-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4528-20-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4528-21-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/916-23-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4528-24-0x0000000075400000-0x00000000759B1000-memory.dmp