Analysis Overview
SHA256
65ed67e61818f348fd59b7dbb9e88935f7da64c185965e3d597ea617b3ff35e1
Threat Level: Known bad
The file f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-19 02:26
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 02:26
Reported
2024-04-19 02:29
Platform
win7-20240221-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2404 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Users\Admin\AppData\Local\Temp\test.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp |
Files
memory/328-1-0x0000000000400000-0x0000000000761000-memory.dmp
\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | deace68722b647efb1e18e379f7f5110 |
| SHA1 | afe4fd34d5eefe7a88bac9c0c46d6c5d15f5a304 |
| SHA256 | 3179686b24219094a8699cb0685888bbc6438d042e098a310849d3fa451e84f7 |
| SHA512 | dd28ae7378baae0e4899fa413c7ce38494b5c3f51293ce15bdfa2b243496844967bef05f000b2c03f841e92cddcab5c91aac0742222243949987b75dc80533f0 |
memory/1932-6-0x00000000022E0000-0x000000000239E000-memory.dmp
memory/1932-7-0x00000000022E0000-0x000000000239E000-memory.dmp
memory/2404-8-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/2404-10-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/2404-9-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2404-15-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2404-18-0x00000000020F0000-0x00000000021AE000-memory.dmp
memory/2404-13-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/2264-12-0x0000000000400000-0x0000000000553000-memory.dmp
memory/328-20-0x0000000000400000-0x0000000000761000-memory.dmp
memory/2264-19-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2264-21-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2716-22-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2716-23-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2264-26-0x0000000000400000-0x0000000000553000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 02:26
Reported
2024-04-19 02:29
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4716 set thread context of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Users\Admin\AppData\Local\Temp\test.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f94cc4a8bc7778ad06c46dea2fcae015_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp | |
| HK | 185.140.53.185:2844 | tcp |
Files
memory/3392-0-0x0000000000400000-0x0000000000761000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | deace68722b647efb1e18e379f7f5110 |
| SHA1 | afe4fd34d5eefe7a88bac9c0c46d6c5d15f5a304 |
| SHA256 | 3179686b24219094a8699cb0685888bbc6438d042e098a310849d3fa451e84f7 |
| SHA512 | dd28ae7378baae0e4899fa413c7ce38494b5c3f51293ce15bdfa2b243496844967bef05f000b2c03f841e92cddcab5c91aac0742222243949987b75dc80533f0 |
memory/4716-5-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/4716-6-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
memory/4716-7-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/1484-9-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4716-10-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/4716-8-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/1484-14-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1484-16-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3392-15-0x0000000000400000-0x0000000000761000-memory.dmp
memory/5056-17-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
memory/1484-19-0x0000000000400000-0x0000000000553000-memory.dmp