Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 00:16
Static task
static1
Behavioral task
behavioral1
Sample
f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe
-
Size
305KB
-
MD5
f6e2893312dc8bb664c183fcc93990bb
-
SHA1
72c03600b7fcab33db83644153a9376f6aae5914
-
SHA256
369e794e05e0d7c9bba6dde5009848087a2cd5e8bf77583d391e0e51d21a52cd
-
SHA512
dbe72bd9d0851176e20091842b1505e650034ce4b1a98dfc13d09cbb92cc45a8db67418ff7db88a4a5451363c74189bf86efe227ec52b6901e1b188bae07baf0
-
SSDEEP
6144:qrPvxOIE9jeOn3jEapL6wAOGNGE81/2I/TYtCC:qbvx+9jZoDwmGRuIhC
Malware Config
Extracted
warzonerat
64.188.13.46:13372
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2104-12-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2104-16-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2104-20-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2104-22-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2104-14-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2104-11-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLC Media Player = "C:\\Users\\Admin\\AppData\\Local\\VLC Media Player.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLC Media Player = "C:\\Users\\Admin\\AppData\\Local\\VLC Media Player.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLC Media Player = "C:\\Users\\Admin\\AppData\\Local\\VLC Media Player.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exedescription pid process target process PID 2764 set thread context of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 2608 2104 WerFault.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.execmd.exef6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.execmd.exef6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.execmd.exef6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exedescription pid process target process PID 2656 wrote to memory of 2052 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2052 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2052 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2052 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2632 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2656 wrote to memory of 2632 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2656 wrote to memory of 2632 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2656 wrote to memory of 2632 2656 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2052 wrote to memory of 2668 2052 cmd.exe reg.exe PID 2052 wrote to memory of 2668 2052 cmd.exe reg.exe PID 2052 wrote to memory of 2668 2052 cmd.exe reg.exe PID 2052 wrote to memory of 2668 2052 cmd.exe reg.exe PID 2632 wrote to memory of 2688 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2632 wrote to memory of 2688 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2632 wrote to memory of 2688 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2632 wrote to memory of 2688 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2688 wrote to memory of 2520 2688 cmd.exe reg.exe PID 2688 wrote to memory of 2520 2688 cmd.exe reg.exe PID 2688 wrote to memory of 2520 2688 cmd.exe reg.exe PID 2688 wrote to memory of 2520 2688 cmd.exe reg.exe PID 2632 wrote to memory of 2764 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2632 wrote to memory of 2764 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2632 wrote to memory of 2764 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2632 wrote to memory of 2764 2632 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2544 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2764 wrote to memory of 2544 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2764 wrote to memory of 2544 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2764 wrote to memory of 2544 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe cmd.exe PID 2544 wrote to memory of 2700 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2700 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2700 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2700 2544 cmd.exe reg.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2764 wrote to memory of 2104 2764 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe PID 2104 wrote to memory of 2608 2104 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe WerFault.exe PID 2104 wrote to memory of 2608 2104 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe WerFault.exe PID 2104 wrote to memory of 2608 2104 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe WerFault.exe PID 2104 wrote to memory of 2608 2104 f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe" "C:\Users\%username%\AppData\Local\VLC Media Player.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "VLC Media Player" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\VLC Media Player.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "VLC Media Player" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\VLC Media Player.exe"3⤵
- Adds Run key to start application
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe" "C:\Users\%username%\AppData\Local\VLC Media Player.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "VLC Media Player" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\VLC Media Player.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "VLC Media Player" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\VLC Media Player.exe"4⤵
- Adds Run key to start application
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe" "C:\Users\%username%\AppData\Local\VLC Media Player.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "VLC Media Player" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\VLC Media Player.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "VLC Media Player" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\VLC Media Player.exe"5⤵
- Adds Run key to start application
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 2005⤵
- Program crash
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305KB
MD5f6e2893312dc8bb664c183fcc93990bb
SHA172c03600b7fcab33db83644153a9376f6aae5914
SHA256369e794e05e0d7c9bba6dde5009848087a2cd5e8bf77583d391e0e51d21a52cd
SHA512dbe72bd9d0851176e20091842b1505e650034ce4b1a98dfc13d09cbb92cc45a8db67418ff7db88a4a5451363c74189bf86efe227ec52b6901e1b188bae07baf0