Analysis
-
max time kernel
154s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 11:43
Static task
static1
Behavioral task
behavioral1
Sample
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
fa39a305180ccfd7fe227d94f463f900
-
SHA1
a97c990b46b5ff05b46dc6778a6f79b92c2618d8
-
SHA256
3e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0
-
SHA512
4fee67879b3fcb4ec4f16c52dd7d5b87618e4f8af61bc2517062e8a31124ad18b2ac6f7a095bfeafb0d09ad22d4294d856d453dd22b585c32bbb27a5605cbbf0
-
SSDEEP
6144:yFiODSVo8MrfuwkDvRBFyV9tDH6VdIa3aLHbufFrXj+SRrhW+QE5jUQyygegclqR:yswSGF2w3EzxBlK
Malware Config
Extracted
warzonerat
akwz.mypets.ws:2849
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4080-2-0x0000000002710000-0x0000000003210000-memory.dmp warzonerat behavioral2/memory/4080-1-0x0000000003210000-0x0000000003364000-memory.dmp warzonerat behavioral2/memory/4080-16-0x0000000003210000-0x0000000003364000-memory.dmp warzonerat behavioral2/memory/4776-66-0x0000000003490000-0x00000000035E4000-memory.dmp warzonerat -
Drops startup file 2 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 4776 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe -
NTFS ADS 1 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exedescription ioc process File created C:\ProgramData:ApplicationData fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1648 powershell.exe 1648 powershell.exe 2032 powershell.exe 2032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exeimages.exedescription pid process target process PID 4080 wrote to memory of 1648 4080 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe powershell.exe PID 4080 wrote to memory of 1648 4080 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe powershell.exe PID 4080 wrote to memory of 1648 4080 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe powershell.exe PID 4080 wrote to memory of 4776 4080 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe images.exe PID 4080 wrote to memory of 4776 4080 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe images.exe PID 4080 wrote to memory of 4776 4080 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe images.exe PID 4776 wrote to memory of 2032 4776 images.exe powershell.exe PID 4776 wrote to memory of 2032 4776 images.exe powershell.exe PID 4776 wrote to memory of 2032 4776 images.exe powershell.exe PID 4776 wrote to memory of 4836 4776 images.exe cmd.exe PID 4776 wrote to memory of 4836 4776 images.exe cmd.exe PID 4776 wrote to memory of 4836 4776 images.exe cmd.exe PID 4776 wrote to memory of 4836 4776 images.exe cmd.exe PID 4776 wrote to memory of 4836 4776 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5fa39a305180ccfd7fe227d94f463f900
SHA1a97c990b46b5ff05b46dc6778a6f79b92c2618d8
SHA2563e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0
SHA5124fee67879b3fcb4ec4f16c52dd7d5b87618e4f8af61bc2517062e8a31124ad18b2ac6f7a095bfeafb0d09ad22d4294d856d453dd22b585c32bbb27a5605cbbf0
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5766d00b8a163c8f38f6ca0ed73a476b4
SHA1cc766bf66b13cab5797f67670d9e0030037dba9c
SHA2567de5e67f4073016ac12b0cb503f88e5e66cc67ae4cc330bf9cd13efa278abad9
SHA51233e3cbae1bec767cbe7cd3a0360f07041b37145eb141dd47b876728be55ad77b779915a16dde25997008d6d879b5b13f58f6b47d38a55ec7e4ea5db185b63c76
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82