General

  • Target

    ef426d4bbf705a856245b5bcbdf7e46a_JaffaCakes118

  • Size

    626KB

  • Sample

    240412-ggnjtaba9z

  • MD5

    ef426d4bbf705a856245b5bcbdf7e46a

  • SHA1

    188d276d75bd11222d78e93b15d5db5bb1fb5719

  • SHA256

    b0627375f7b275b493c75d04d198affe068da50f24744b63dd5b4a9ea85e6288

  • SHA512

    fe7b26c771614d9ae9e8e9b638a6817f35aa28e19a03dd4af51ea33bd1050d39ccbaaa8817080ff82016444f867e679cb7b13ffdb2f2cf04b95485a858e79c4a

  • SSDEEP

    12288:f+OR56es7iS/d348cGaewJhgYTq2+8Nu0SQTVKtS+EPEV4:fr56evS/d3GGaewbgay8Ln

Malware Config

Extracted

Family

warzonerat

C2

202.55.132.213:7744

Targets

    • Target

      ef426d4bbf705a856245b5bcbdf7e46a_JaffaCakes118

    • Size

      626KB

    • MD5

      ef426d4bbf705a856245b5bcbdf7e46a

    • SHA1

      188d276d75bd11222d78e93b15d5db5bb1fb5719

    • SHA256

      b0627375f7b275b493c75d04d198affe068da50f24744b63dd5b4a9ea85e6288

    • SHA512

      fe7b26c771614d9ae9e8e9b638a6817f35aa28e19a03dd4af51ea33bd1050d39ccbaaa8817080ff82016444f867e679cb7b13ffdb2f2cf04b95485a858e79c4a

    • SSDEEP

      12288:f+OR56es7iS/d348cGaewJhgYTq2+8Nu0SQTVKtS+EPEV4:fr56evS/d3GGaewbgay8Ln

    • Detects BazaLoader malware

      BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks