General
-
Target
fd1a4389ae602d038236500becb9e716_JaffaCakes118
-
Size
13.0MB
-
Sample
240420-s55zjsbh63
-
MD5
fd1a4389ae602d038236500becb9e716
-
SHA1
07391dfac902cf86854020fc1a869ba40c0a83ed
-
SHA256
e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
-
SHA512
6e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822
-
SSDEEP
196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStD:D7d9xZo7d9xZS7d9xZo7d9xZA
Behavioral task
behavioral1
Sample
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Malware Config
Targets
-
-
Target
fd1a4389ae602d038236500becb9e716_JaffaCakes118
-
Size
13.0MB
-
MD5
fd1a4389ae602d038236500becb9e716
-
SHA1
07391dfac902cf86854020fc1a869ba40c0a83ed
-
SHA256
e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
-
SHA512
6e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822
-
SSDEEP
196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStD:D7d9xZo7d9xZS7d9xZo7d9xZA
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1