revengerat | 08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
Size

345KB
MD5

b4f7d6c32fd88f6f0743eb92dead9508
SHA1

148dc196a6c47cf25e09b626d061c9ea1d5ba531
SHA256

08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779
SHA512

119fd596fbfe7e97a5bfdb2d39e681e038adcf31aaeea7c4c884a908dc6736ec36991b55e69a374832553bb41bfae02b35264b54a5ed076bde0db7bfa25f3a42
SSDEEP

6144:braC/8rXRJeWBp/18S8jzk5lwWsh0QfX8TGAM1S38Tx+8liWpztzRRCRq:brGTegj8dc5u0QiJM15TxXim5R2

Score

10^/10

revengerat guest trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

185.29.10.15:6984

Mutex

RV_MUTEX-LuSAtYBxGgZH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe

description pid process target process

PID 4800 set thread context of 3536 4800 b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exeb4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 4800 b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
Token: SeDebugPrivilege 3536 b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe

description	pid	process	target process
PID 4800 set thread context of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
Token: SeDebugPrivilege	3536	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe

description	pid	process	target process
PID 4800 wrote to memory of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
PID 4800 wrote to memory of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
PID 4800 wrote to memory of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
PID 4800 wrote to memory of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
PID 4800 wrote to memory of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
PID 4800 wrote to memory of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
PID 4800 wrote to memory of 3536	4800	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe	b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f7d6c32fd88f6f0743eb92dead9508_JaffaCakes118.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3536-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3536-18-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3536-17-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3536-16-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3536-14-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/3536-13-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4800-4-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/4800-7-0x0000000003060000-0x000000000306A000-memory.dmp

Filesize
40KB

Download
memory/4800-8-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/4800-9-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4800-10-0x0000000009380000-0x000000000941C000-memory.dmp

Filesize
624KB

Download
memory/4800-6-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4800-5-0x0000000005720000-0x000000000573E000-memory.dmp

Filesize
120KB

Download
memory/4800-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/4800-3-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/4800-15-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4800-2-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/4800-1-0x0000000000D50000-0x0000000000DAE000-memory.dmp

Filesize
376KB

Download