Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 05:02
Static task
static1
Behavioral task
behavioral1
Sample
f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
-
Size
970KB
-
MD5
f990e61f27aa6b6f21e22ec66da256bc
-
SHA1
b1b3ab210652a8268424489d272091e811833f08
-
SHA256
e90bb8f634ea320dd9e39c3f7c007402c0a696ef31cce92a259c7fca6e479514
-
SHA512
f161ef18e7e8d748168638f2c92eb05759bc002185578cfd0f672c16dba267fc2329930b479e204c974d736e64f65bf072e0ee80e2b0d131892079263b561a22
-
SSDEEP
12288:eDK0n3qGaNHEyC9/oR9gy5FHK7zRsugClbeiIOUiw3fRAruzUDABXamsyPL1xmIw:eDKcPp9AR95yVsuMizcvaAsixxSiUtj
Malware Config
Extracted
warzonerat
45.137.22.62:4231
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2780-16-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2780-17-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2780-18-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2780-19-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2780-22-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2780-24-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2780-26-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2780-27-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exedescription pid process target process PID 2916 set thread context of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exedescription pid process target process PID 2916 wrote to memory of 2592 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe schtasks.exe PID 2916 wrote to memory of 2592 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe schtasks.exe PID 2916 wrote to memory of 2592 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe schtasks.exe PID 2916 wrote to memory of 2592 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe schtasks.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe PID 2916 wrote to memory of 2780 2916 f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VIOgFBAzGifYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA093.tmp"2⤵
- Creates scheduled task(s)
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe"2⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51dd91615b1322fbd3ffc9e8841ae7677
SHA1b28510b454e4f8f845a992d7a25417b063243fa3
SHA256daa28bb5051142d22c247b783ecaa496e29971c947e7ebb8aa822937f8f5c249
SHA5128e97f91bdd7e9c29c1ba1f9c9d6f7e1d32278f15cd369e58f96d668235e4c6a5c069a58d5a5367db8e189839a77605dab6945fc636544e90e318cdb09a13c0a8