revengerat | ac2d76ddecd0ffbd59bd1f64f6e8086579a64061e141007399e47e9fe4b336da

General

Target

JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
Size

1.1MB
MD5

804664585972bfa5b06339271eeeef2e
SHA1

58b0cc7fba313426572e1967e77a339fe017a02d
SHA256

ac2d76ddecd0ffbd59bd1f64f6e8086579a64061e141007399e47e9fe4b336da
SHA512

0ad37382d8a4e0162dddacce3cb35e94bf05f4336f85ecf3de82a4c16ebec613304e7091c359884ad4085cce09e3c748af92e140e5d83bfb696e0cf7d676caa4
SSDEEP

24576:Ky2HNG7O1oxjb3V0nob003s2sldyS9mLMuT1XZ2XqlZh:R6NdgPi0Hs2slb9mLnT1p26H

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0009000000016276-12.dat	revengerat

Executes dropped EXE 2 IoCs

pid	Process
2492	mmm.exe
2864	MARTYR~1.EXE

Loads dropped DLL 5 IoCs

pid	Process
2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
2492	mmm.exe
2868	dw20.exe
2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
2864	MARTYR~1.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Martyr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\MARTYR~1.EXE"	MARTYR~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Martyr	MARTYR~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MARTYR~1.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2492	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	31
PID 2380 wrote to memory of 2492	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	31
PID 2380 wrote to memory of 2492	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	31
PID 2380 wrote to memory of 2492	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	31
PID 2380 wrote to memory of 2492	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	31
PID 2380 wrote to memory of 2492	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	31
PID 2380 wrote to memory of 2492	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	31
PID 2492 wrote to memory of 2868	2492	mmm.exe	32
PID 2492 wrote to memory of 2868	2492	mmm.exe	32
PID 2492 wrote to memory of 2868	2492	mmm.exe	32
PID 2492 wrote to memory of 2868	2492	mmm.exe	32
PID 2492 wrote to memory of 2868	2492	mmm.exe	32
PID 2492 wrote to memory of 2868	2492	mmm.exe	32
PID 2492 wrote to memory of 2868	2492	mmm.exe	32
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	33
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	33
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	33
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	33
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	33
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	33
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mmm.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mmm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 508
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MARTYR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MARTYR~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\MARTYR~1.EXE

Filesize
1.5MB

MD5
6a9e06a828bca385615a51895b18f698

SHA1
acab147a919de88ec90f970af701f372806773e2

SHA256
e3a28e9d6e14cd1fdbc046bcf8e96e05508e1c881459e12f5cb0182292f9128f

SHA512
66e9f9e367e544c1845ff6aac938e728980c39895f0f267fca4c2e25788a122bbd567d6231daaa60d5ebf963f2a6fe32bfdca8457d97c477eb2a536d15cd6955

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\mmm.exe

Filesize
1.3MB

MD5
cd4667b40a1fc74894fba5d63cfa3b0e

SHA1
2a794780ceed4526df3d26246968cf576c89b0bd

SHA256
993c0949ded3fe56c5406c93adf775920d6fc3ee7179ee85cf197cbea0c69a35

SHA512
4a4c54ac80d51e1c18d4a9bb175df7cd976c6814b5c79a85ec153d31ee971c29f4d9f1c3508357913ab3e84ccc29885433a92ea8884cddcba1c3c99a075d0842

Download Submit
memory/2492-10-0x0000000073FE2000-0x0000000073FE4000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads