Malware Analysis Report

2025-04-14 05:11

Sample ID 250116-wymq6stkgp
Target JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958
SHA256 4de025b765e8509fe00fdbd927329480d23f5f6c2a3c2511c0dc8a438fbc7623
Tags
stealer revengerat discovery persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4de025b765e8509fe00fdbd927329480d23f5f6c2a3c2511c0dc8a438fbc7623

Threat Level: Known bad

The file JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat discovery persistence spyware trojan

RevengeRat Executable

RevengeRAT

Revengerat family

RevengeRat Executable

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-16 18:19

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-16 18:19

Reported

2025-01-16 18:22

Platform

win7-20240903-en

Max time kernel

146s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\Firewall.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ComponentID = "Windows Firewall" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ = "Microsoft Windows" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.com udp
US 172.66.43.169:80 whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.40.87:443 www.whatismyip.com tcp
US 172.66.40.87:443 www.whatismyip.com tcp
US 8.8.8.8:53 smtp.gmail.com udp
NL 74.125.128.109:587 smtp.gmail.com tcp

Files

memory/1600-0-0x0000000074051000-0x0000000074052000-memory.dmp

memory/1600-1-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/1600-2-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/1600-3-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/1600-7-0x0000000074050000-0x00000000745FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows Firewall\Firewall.exe

MD5 7e63213f90d5916ee351c1b7c4a84958
SHA1 6bc40e54159f8c07564c8d69da029f730c3386e4
SHA256 4de025b765e8509fe00fdbd927329480d23f5f6c2a3c2511c0dc8a438fbc7623
SHA512 d796c3393df3a86d2281b14dd237c4fa1c2b986b279474d5dff05c09ab25a7c1976422eea25223ca0b78283775b5bb36fdf34764af24e267fb345513036f23a0

memory/2776-17-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2776-18-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2776-19-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2776-20-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/1600-21-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2776-22-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2776-23-0x0000000074050000-0x00000000745FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-16 18:19

Reported

2025-01-16 18:22

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\Firewall.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ComponentID = "Windows Firewall" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89850105-ECBD-11cf-8B85-00AA005B4340}\ = "Microsoft Windows" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Account Control = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KERNEL-32 Module = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\User Account Control\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e63213f90d5916ee351c1b7c4a84958.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\User Account Control\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.com udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 172.66.40.87:80 whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.43.169:443 www.whatismyip.com tcp
US 8.8.8.8:53 smtp.gmail.com udp
NL 74.125.128.109:587 smtp.gmail.com tcp
US 8.8.8.8:53 87.40.66.172.in-addr.arpa udp
US 8.8.8.8:53 169.43.66.172.in-addr.arpa udp
US 8.8.8.8:53 109.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/916-0-0x0000000075402000-0x0000000075403000-memory.dmp

memory/916-1-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/916-2-0x0000000075400000-0x00000000759B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows Firewall\Firewall.exe

MD5 7e63213f90d5916ee351c1b7c4a84958
SHA1 6bc40e54159f8c07564c8d69da029f730c3386e4
SHA256 4de025b765e8509fe00fdbd927329480d23f5f6c2a3c2511c0dc8a438fbc7623
SHA512 d796c3393df3a86d2281b14dd237c4fa1c2b986b279474d5dff05c09ab25a7c1976422eea25223ca0b78283775b5bb36fdf34764af24e267fb345513036f23a0

memory/916-9-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/4528-20-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/4528-21-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/916-23-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/4528-24-0x0000000075400000-0x00000000759B1000-memory.dmp