General
-
Target
https://www.youtube.com/@cheatsminecraft992
-
Sample
240120-ltpd4afggp
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/@cheatsminecraft992
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\BackFiles_encoded01.txt
http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rQEIiQtNNjeF%2BH%2BbjBTeQMZvYrNiDQtZ7Mo%2B0eRzvjHkUTWxMmMHA7zWTaiiIedmyHkw%2FyQgVl3txV7gqCDvc5BSXLlDB3lj9apIqdpx5wb7LRDZPSdUD%2BGqEf39eqZe4Ts7qXN7Ahetugry4HDkeZ07b6NyP1cSr5QX%2FeBzqCeDNy7vYikLZ8mqSP%2FjWY00%2BXI37g5sACKVzBretxK3ccxHY%2FN6GFlQ%2FIE6%2FeljrHP6WifYBCFgVZGaIumVI%2B5u7DI%2B6mMkEwXHmkbB%2FGW5d8A7ac1mEF84l8gK57YJzC%2F6Ui27SQJwT9OQKu24d6wZxmgW33F7dBW2xS3Lvwe2YMt5UbFpF3V8w6IZ98VxpCXXTyz7EQdkMqXEEdGxd99O2Gk97GYCA073jjyuziaSNPo5NL4WLgMM%2Bc8%2B%2FesE8CDablv7XDcCYrWSFfW%2BRZoFnEYu3zwnZyStrEj3pXHyc9tnZOIuf3B4srIr8%2FwtqAH2OB3rOwFmD760Dt2zDdFZy0Rc3zkVQma3uir0tX3uL%2BlObrxlAEIus5Mf1o8WxW38R0C5aiZTQfWIGevqZ5kEl30Gx3F7cBqozyjB6QzVRcNGT%2FpcdQBz3Zoc0c9VjC78YibYH3lcJKi7SaKJN%2B9a4045zXoqB1zjyCfd7jHsAvZlFc08AAouiK42oO0O40%2FYZz74R3UBWdCdHe3ibO0m7ngP2zEhexaKpyvEuwjAW%2FdscNFFB39D%2FIAM8PUhrSzWURL9PzxrIbvJKfGOe%2BpE13llu20qW1igyjnc72eyDMVqBuVxe3BQmpNKppwN3maIM0rmYg99duuJMdzoZq1x7k43sxwDfxrotF2hnyflRIgzTvEzegAPzog44b19hAGfTRvuGi0BDvnPOvyVGLVA%2F1dAukZ9A1P3qwz6%2BH63cpt%2FachgPQRUrMk%2F97c2x1X4MDzkezsFEre6JqPUevty7TI%2Buht4eiaIixremBHyQPh7Ycp7CkVjyq0e0e1crDjERAuvZgtqWZecEKrvJ%2BkumGxGsHJ5AlS8zk3DwWSQd504aewYOVoEuq8I%2Besbtn7IVH%2FraSt4DsnJDqLkW%2BwSmWwLxi0AfDO%2FqRvW%2BHDAZ%2B5LY7Auf3BRoMo94txzrwGYRDXfBSdiFJOLTMaYJ8Bwx3dJ33J5UQTdohf12l%2B4MONJFN9sf0ULtZEuor5x3kKVSjnHRxVjBNOoWqnKTYckwnw023F6dg%3D%3D
Extracted
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BC511AE6-709C-4371-BC56-72ECE237F064\#DECRYPT_MY_FILES#.html
Extracted
guloader
https://mindforcehypnosis.com/fas/decemberomo_FkoIc77.bin
Targets
-
-
Target
https://www.youtube.com/@cheatsminecraft992
-
Detect ZGRat V1
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Enumerates VirtualBox registry keys
-
Guloader payload
-
Looks for VirtualBox Guest Additions in registry
-
Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Warzone RAT payload
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Indicator Removal
1File Deletion
1Virtualization/Sandbox Evasion
2Modify Registry
2