warzonerat | f507336abc0d9c301b6b7103c6be90ea15121b937e6385091e712a4f22ddc782

General

Target

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
Size

1.3MB
MD5

fed9ab5b2162b76ab5d83a9bf07342b3
SHA1

0dd925c9fc2ee6b95d760d184326f32b681ffd49
SHA256

f507336abc0d9c301b6b7103c6be90ea15121b937e6385091e712a4f22ddc782
SHA512

56cff7e236ccc12df18a9b9c903e2aee4aba4838d1190551d86af68bddc38aab4de7ac8f8adca995bb7446ed49280efd9dc9270048150b59fdf78203e76478df
SSDEEP

24576:vJjAKND1LIQgBPiXcDvWEAU07P2vIBzjoR:vJjN9IQEiXcUo

Score

10^/10

warzonerat zgrat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

andronmatskiv20.sytes.net:5200

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1592-9-0x0000000006740000-0x00000000067C2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-10-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-11-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-13-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-15-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-17-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-19-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-21-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-23-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-25-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-27-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-29-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-31-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-33-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-35-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-37-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-39-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-41-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-43-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-45-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-47-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-49-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-51-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-53-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-55-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-57-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-59-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-61-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-63-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-65-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-67-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-69-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-71-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1
behavioral2/memory/1592-73-0x0000000006740000-0x00000000067BB000-memory.dmp	family_zgrat_v1

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5068-2426-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5068-2433-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2592-4857-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

4156 images.exe
2592 images.exe

pid	process
4156	images.exe
2592	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exeimages.exe

description	pid	process	target process
PID 1592 set thread context of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 4156 set thread context of 2592	4156	images.exe	images.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exeimages.exe

pid	process
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe
4156	images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exeimages.exe

description pid process

Token: SeDebugPrivilege 1592 fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
Token: SeDebugPrivilege 4156 images.exe

description	pid	process
Token: SeDebugPrivilege	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
Token: SeDebugPrivilege	4156	images.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exefed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exeimages.exeimages.exe

description	pid	process	target process
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 1592 wrote to memory of 5068	1592	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
PID 5068 wrote to memory of 4156	5068	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	images.exe
PID 5068 wrote to memory of 4156	5068	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	images.exe
PID 5068 wrote to memory of 4156	5068	fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 4156 wrote to memory of 2592	4156	images.exe	images.exe
PID 2592 wrote to memory of 1456	2592	images.exe	cmd.exe
PID 2592 wrote to memory of 1456	2592	images.exe	cmd.exe
PID 2592 wrote to memory of 1456	2592	images.exe	cmd.exe
PID 2592 wrote to memory of 1456	2592	images.exe	cmd.exe
PID 2592 wrote to memory of 1456	2592	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5068

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156

C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
1.3MB

MD5
fed9ab5b2162b76ab5d83a9bf07342b3

SHA1
0dd925c9fc2ee6b95d760d184326f32b681ffd49

SHA256
f507336abc0d9c301b6b7103c6be90ea15121b937e6385091e712a4f22ddc782

SHA512
56cff7e236ccc12df18a9b9c903e2aee4aba4838d1190551d86af68bddc38aab4de7ac8f8adca995bb7446ed49280efd9dc9270048150b59fdf78203e76478df

Download Submit
memory/1592-43-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-69-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-2-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/1592-3-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/1592-4-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1592-5-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/1592-6-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/1592-7-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1592-8-0x0000000006460000-0x00000000064B8000-memory.dmp

Filesize
352KB

Download
memory/1592-9-0x0000000006740000-0x00000000067C2000-memory.dmp

Filesize
520KB

Download
memory/1592-10-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-11-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-13-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-15-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-17-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-19-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-21-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-23-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-25-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-27-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-29-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-31-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-33-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-35-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-37-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-39-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-41-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-0-0x00000000006D0000-0x0000000000820000-memory.dmp

Filesize
1.3MB

Download
memory/1592-57-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-47-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-49-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-51-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-53-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-55-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-45-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-59-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-61-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-63-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-65-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-67-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-1-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/1592-71-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-73-0x0000000006740000-0x00000000067BB000-memory.dmp

Filesize
492KB

Download
memory/1592-403-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1592-2421-0x0000000000F80000-0x0000000000FE6000-memory.dmp

Filesize
408KB

Download
memory/1592-2427-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2592-4857-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4156-2432-0x0000000073DE0000-0x0000000074590000-memory.dmp

Filesize
7.7MB

Download
memory/4156-2434-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4156-2435-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4156-2436-0x0000000073DE0000-0x0000000074590000-memory.dmp

Filesize
7.7MB

Download
memory/4156-2437-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4156-3076-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4156-4858-0x0000000073DE0000-0x0000000074590000-memory.dmp

Filesize
7.7MB

Download
memory/5068-2426-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5068-2433-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads