Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 02:26
Behavioral task
behavioral1
Sample
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
f94cc4a8bc7778ad06c46dea2fcae015
-
SHA1
3088cb27fb933cdffebe5d365fa8ed0d1169379a
-
SHA256
65ed67e61818f348fd59b7dbb9e88935f7da64c185965e3d597ea617b3ff35e1
-
SHA512
8db7f3d3cce11925ccf79447bdf2ed518b355d574346f7a084c1cf972269843fca49f336ff9e65a9e526558243901786e03d3cde48bfa1a6000c724fb1ce19c7
-
SSDEEP
49152:zhfpWBeokXFpubqkfqNng8V77EnBn7DDh2regl3vy+QgyF3Flqv3fhrs3MrqDqYr:lYMBXb+0nf7Cn7vUeg/QP+3WMze
Malware Config
Extracted
warzonerat
185.140.53.185:2844
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2404-18-0x00000000020F0000-0x00000000021AE000-memory.dmp warzonerat behavioral1/memory/2264-12-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2264-19-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2264-21-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2264-26-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
test.exetest.exepid process 2404 test.exe 2264 test.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exetest.exepid process 1932 cmd.exe 1932 cmd.exe 2404 test.exe -
Processes:
resource yara_rule behavioral1/memory/328-1-0x0000000000400000-0x0000000000761000-memory.dmp upx \Users\Admin\AppData\Local\Temp\test.exe upx behavioral1/memory/2404-8-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2404-10-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2404-13-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/328-20-0x0000000000400000-0x0000000000761000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
test.exedescription pid process target process PID 2404 set thread context of 2264 2404 test.exe test.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
test.exepid process 2404 test.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
test.exepid process 2404 test.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.execmd.exetest.exetest.exedescription pid process target process PID 328 wrote to memory of 1932 328 f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe cmd.exe PID 328 wrote to memory of 1932 328 f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe cmd.exe PID 328 wrote to memory of 1932 328 f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe cmd.exe PID 328 wrote to memory of 1932 328 f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe cmd.exe PID 1932 wrote to memory of 2404 1932 cmd.exe test.exe PID 1932 wrote to memory of 2404 1932 cmd.exe test.exe PID 1932 wrote to memory of 2404 1932 cmd.exe test.exe PID 1932 wrote to memory of 2404 1932 cmd.exe test.exe PID 2404 wrote to memory of 2264 2404 test.exe test.exe PID 2404 wrote to memory of 2264 2404 test.exe test.exe PID 2404 wrote to memory of 2264 2404 test.exe test.exe PID 2404 wrote to memory of 2264 2404 test.exe test.exe PID 2264 wrote to memory of 2716 2264 test.exe cmd.exe PID 2264 wrote to memory of 2716 2264 test.exe cmd.exe PID 2264 wrote to memory of 2716 2264 test.exe cmd.exe PID 2264 wrote to memory of 2716 2264 test.exe cmd.exe PID 2264 wrote to memory of 2716 2264 test.exe cmd.exe PID 2264 wrote to memory of 2716 2264 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:2716
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD5deace68722b647efb1e18e379f7f5110
SHA1afe4fd34d5eefe7a88bac9c0c46d6c5d15f5a304
SHA2563179686b24219094a8699cb0685888bbc6438d042e098a310849d3fa451e84f7
SHA512dd28ae7378baae0e4899fa413c7ce38494b5c3f51293ce15bdfa2b243496844967bef05f000b2c03f841e92cddcab5c91aac0742222243949987b75dc80533f0