revengerat | ac2d76ddecd0ffbd59bd1f64f6e8086579a64061e141007399e47e9fe4b336da

General

Target

JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
Size

1.1MB
MD5

804664585972bfa5b06339271eeeef2e
SHA1

58b0cc7fba313426572e1967e77a339fe017a02d
SHA256

ac2d76ddecd0ffbd59bd1f64f6e8086579a64061e141007399e47e9fe4b336da
SHA512

0ad37382d8a4e0162dddacce3cb35e94bf05f4336f85ecf3de82a4c16ebec613304e7091c359884ad4085cce09e3c748af92e140e5d83bfb696e0cf7d676caa4
SSDEEP

24576:Ky2HNG7O1oxjb3V0nob003s2sldyS9mLMuT1XZ2XqlZh:R6NdgPi0Hs2slb9mLnT1p26H

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000900000002426b-19.dat	revengerat

Executes dropped EXE 2 IoCs

pid	Process
2600	mmm.exe
4048	MARTYR~1.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Martyr	MARTYR~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Martyr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\MARTYR~1.EXE"	MARTYR~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MARTYR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3852	dw20.exe
Token: SeBackupPrivilege	3852	dw20.exe
Token: SeBackupPrivilege	3852	dw20.exe
Token: SeBackupPrivilege	3852	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5748 wrote to memory of 2600	5748	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	85
PID 5748 wrote to memory of 2600	5748	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	85
PID 5748 wrote to memory of 2600	5748	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	85
PID 2600 wrote to memory of 3852	2600	mmm.exe	88
PID 2600 wrote to memory of 3852	2600	mmm.exe	88
PID 2600 wrote to memory of 3852	2600	mmm.exe	88
PID 5748 wrote to memory of 4048	5748	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	92
PID 5748 wrote to memory of 4048	5748	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	92
PID 5748 wrote to memory of 4048	5748	JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_804664585972bfa5b06339271eeeef2e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mmm.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mmm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MARTYR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MARTYR~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MARTYR~1.EXE

Filesize
1.5MB

MD5
6a9e06a828bca385615a51895b18f698

SHA1
acab147a919de88ec90f970af701f372806773e2

SHA256
e3a28e9d6e14cd1fdbc046bcf8e96e05508e1c881459e12f5cb0182292f9128f

SHA512
66e9f9e367e544c1845ff6aac938e728980c39895f0f267fca4c2e25788a122bbd567d6231daaa60d5ebf963f2a6fe32bfdca8457d97c477eb2a536d15cd6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mmm.exe

Filesize
1.3MB

MD5
cd4667b40a1fc74894fba5d63cfa3b0e

SHA1
2a794780ceed4526df3d26246968cf576c89b0bd

SHA256
993c0949ded3fe56c5406c93adf775920d6fc3ee7179ee85cf197cbea0c69a35

SHA512
4a4c54ac80d51e1c18d4a9bb175df7cd976c6814b5c79a85ec153d31ee971c29f4d9f1c3508357913ab3e84ccc29885433a92ea8884cddcba1c3c99a075d0842

Download Submit
memory/2600-7-0x0000000074592000-0x0000000074593000-memory.dmp

Filesize
4KB

Download
memory/2600-8-0x0000000074590000-0x0000000074B41000-memory.dmp

Filesize
5.7MB

Download
memory/2600-9-0x0000000074590000-0x0000000074B41000-memory.dmp

Filesize
5.7MB

Download
memory/2600-16-0x0000000074590000-0x0000000074B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads