General

  • Target

    f147b8cfe733af00210eda406d7a2134_JaffaCakes118

  • Size

    999KB

  • Sample

    240415-rvd8eaag9w

  • MD5

    f147b8cfe733af00210eda406d7a2134

  • SHA1

    b57db223058117797e98312161faea36e619164c

  • SHA256

    048c93c638aeb9d63fd2c934d4333b125e75273324b7bd0d6ae35e23ac86c534

  • SHA512

    f33c4799e4589fb2d15a577c5259daf4e66bfc1bf95c455fbce0f92236ae53ea32b448cc2c54edba0b760012cec486ef3932ff19b4cb544cd5826764af28da54

  • SSDEEP

    24576:i3o8S1/d3U3K64JUTLGNeRUNg4PTkib7:Co8rK64JofxLib

Malware Config

Extracted

Family

warzonerat

C2

ankarab.ddns.net:6363

Targets

    • Target

      f147b8cfe733af00210eda406d7a2134_JaffaCakes118

    • Size

      999KB

    • MD5

      f147b8cfe733af00210eda406d7a2134

    • SHA1

      b57db223058117797e98312161faea36e619164c

    • SHA256

      048c93c638aeb9d63fd2c934d4333b125e75273324b7bd0d6ae35e23ac86c534

    • SHA512

      f33c4799e4589fb2d15a577c5259daf4e66bfc1bf95c455fbce0f92236ae53ea32b448cc2c54edba0b760012cec486ef3932ff19b4cb544cd5826764af28da54

    • SSDEEP

      24576:i3o8S1/d3U3K64JUTLGNeRUNg4PTkib7:Co8rK64JofxLib

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks