warzonerat | e90bb8f634ea320dd9e39c3f7c007402c0a696ef31cce92a259c7fca6e479514

General

Target

f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
Size

970KB
MD5

f990e61f27aa6b6f21e22ec66da256bc
SHA1

b1b3ab210652a8268424489d272091e811833f08
SHA256

e90bb8f634ea320dd9e39c3f7c007402c0a696ef31cce92a259c7fca6e479514
SHA512

f161ef18e7e8d748168638f2c92eb05759bc002185578cfd0f672c16dba267fc2329930b479e204c974d736e64f65bf072e0ee80e2b0d131892079263b561a22
SSDEEP

12288:eDK0n3qGaNHEyC9/oR9gy5FHK7zRsugClbeiIOUiw3fRAruzUDABXamsyPL1xmIw:eDKcPp9AR95yVsuMizcvaAsixxSiUtj

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

45.137.22.62:4231

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2780-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-17-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-18-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-19-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-22-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-24-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-26-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-27-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe

description	pid	process	target process
PID 2916 set thread context of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2592 schtasks.exe

pid	process
2592	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VIOgFBAzGifYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA093.tmp"
2⤵
- Creates scheduled task(s)
PID:2592

C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe"
2⤵
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA093.tmp
Filesize
1KB

MD5
1dd91615b1322fbd3ffc9e8841ae7677

SHA1
b28510b454e4f8f845a992d7a25417b063243fa3

SHA256
daa28bb5051142d22c247b783ecaa496e29971c947e7ebb8aa822937f8f5c249

SHA512
8e97f91bdd7e9c29c1ba1f9c9d6f7e1d32278f15cd369e58f96d668235e4c6a5c069a58d5a5367db8e189839a77605dab6945fc636544e90e318cdb09a13c0a8

Download Submit
memory/2780-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-15-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-27-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-13-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-22-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-7-0x0000000000890000-0x00000000008B2000-memory.dmp

Filesize
136KB

Download
memory/2916-4-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-0-0x00000000008F0000-0x00000000009E8000-memory.dmp

Filesize
992KB

Download
memory/2916-5-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2916-3-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/2916-1-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-25-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-2-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2916-6-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download

description	pid	process	target process
PID 2916 wrote to memory of 2592	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2592	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2592	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2592	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	schtasks.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe
PID 2916 wrote to memory of 2780	2916	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe	f990e61f27aa6b6f21e22ec66da256bc_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads