Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 02:26
Behavioral task
behavioral1
Sample
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
f94cc4a8bc7778ad06c46dea2fcae015
-
SHA1
3088cb27fb933cdffebe5d365fa8ed0d1169379a
-
SHA256
65ed67e61818f348fd59b7dbb9e88935f7da64c185965e3d597ea617b3ff35e1
-
SHA512
8db7f3d3cce11925ccf79447bdf2ed518b355d574346f7a084c1cf972269843fca49f336ff9e65a9e526558243901786e03d3cde48bfa1a6000c724fb1ce19c7
-
SSDEEP
49152:zhfpWBeokXFpubqkfqNng8V77EnBn7DDh2regl3vy+QgyF3Flqv3fhrs3MrqDqYr:lYMBXb+0nf7Cn7vUeg/QP+3WMze
Malware Config
Extracted
warzonerat
185.140.53.185:2844
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1484-9-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1484-14-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1484-16-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1484-19-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
test.exetest.exepid process 4716 test.exe 1484 test.exe -
Processes:
resource yara_rule behavioral2/memory/3392-0-0x0000000000400000-0x0000000000761000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\test.exe upx behavioral2/memory/4716-5-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4716-7-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4716-8-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3392-15-0x0000000000400000-0x0000000000761000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
test.exedescription pid process target process PID 4716 set thread context of 1484 4716 test.exe test.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
test.exepid process 4716 test.exe 4716 test.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
test.exepid process 4716 test.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.execmd.exetest.exetest.exedescription pid process target process PID 3392 wrote to memory of 2464 3392 f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe cmd.exe PID 3392 wrote to memory of 2464 3392 f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe cmd.exe PID 3392 wrote to memory of 2464 3392 f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe cmd.exe PID 2464 wrote to memory of 4716 2464 cmd.exe test.exe PID 2464 wrote to memory of 4716 2464 cmd.exe test.exe PID 2464 wrote to memory of 4716 2464 cmd.exe test.exe PID 4716 wrote to memory of 1484 4716 test.exe test.exe PID 4716 wrote to memory of 1484 4716 test.exe test.exe PID 4716 wrote to memory of 1484 4716 test.exe test.exe PID 1484 wrote to memory of 5056 1484 test.exe cmd.exe PID 1484 wrote to memory of 5056 1484 test.exe cmd.exe PID 1484 wrote to memory of 5056 1484 test.exe cmd.exe PID 1484 wrote to memory of 5056 1484 test.exe cmd.exe PID 1484 wrote to memory of 5056 1484 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:5056
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD5deace68722b647efb1e18e379f7f5110
SHA1afe4fd34d5eefe7a88bac9c0c46d6c5d15f5a304
SHA2563179686b24219094a8699cb0685888bbc6438d042e098a310849d3fa451e84f7
SHA512dd28ae7378baae0e4899fa413c7ce38494b5c3f51293ce15bdfa2b243496844967bef05f000b2c03f841e92cddcab5c91aac0742222243949987b75dc80533f0