Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe
-
Size
336KB
-
MD5
ff3d380d75da0970ca814403921a512d
-
SHA1
bd06d7efc8946846addb9593893ac91a668d1e75
-
SHA256
1c2437ae6ffc0eee1e868edc26540d7b1fc8992209ec776644fc8c83c83b0032
-
SHA512
0e9fcbd1f3753a11a5745e467d630fd36077879df982d8cf98e06e08718e4d369c452c7ad8819dbdf93ad6685e2fa99ec9b059cff0c5feaf69236ad80b280f3c
-
SSDEEP
6144:iFOwiyeVH0dxiroXWm/XFWdLUiIr5QhXY+lG9ijjz8QTOV0y4AS7E:yiyexQtVwYXyYOGe/811zn
Malware Config
Extracted
warzonerat
hjjhjkk.ydns.eu:7009
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/4800-9-0x00000000064D0000-0x000000000653E000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-10-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-11-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-15-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-13-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-17-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-19-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-21-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-23-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-25-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-27-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-29-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-31-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-33-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-35-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-37-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-39-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-41-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-43-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-45-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-47-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-49-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-51-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-53-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-55-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-57-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-59-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-61-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-63-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-65-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-67-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-69-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-71-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 behavioral2/memory/4800-73-0x00000000064D0000-0x0000000006539000-memory.dmp family_zgrat_v1 -
Detects BazaLoader malware 4 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral2/memory/2780-2209-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral2/memory/2780-2213-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral2/memory/640-4420-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral2/memory/640-4423-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2780-2209-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/2780-2213-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/640-4420-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/640-4423-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
images.exeimages.exepid process 4392 images.exe 640 images.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeimages.exedescription pid process target process PID 4800 set thread context of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4392 set thread context of 640 4392 images.exe images.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeimages.exepid process 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe 4392 images.exe 4392 images.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeimages.exedescription pid process Token: SeDebugPrivilege 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe Token: SeDebugPrivilege 4392 images.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeff3d380d75da0970ca814403921a512d_JaffaCakes118.execmd.exeimages.exeimages.exedescription pid process target process PID 4800 wrote to memory of 2700 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2700 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2700 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 4800 wrote to memory of 2780 4800 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 2780 wrote to memory of 680 2780 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe cmd.exe PID 2780 wrote to memory of 680 2780 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe cmd.exe PID 2780 wrote to memory of 680 2780 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe cmd.exe PID 2780 wrote to memory of 4392 2780 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe images.exe PID 2780 wrote to memory of 4392 2780 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe images.exe PID 2780 wrote to memory of 4392 2780 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe images.exe PID 680 wrote to memory of 2580 680 cmd.exe reg.exe PID 680 wrote to memory of 2580 680 cmd.exe reg.exe PID 680 wrote to memory of 2580 680 cmd.exe reg.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 4392 wrote to memory of 640 4392 images.exe images.exe PID 640 wrote to memory of 232 640 images.exe cmd.exe PID 640 wrote to memory of 232 640 images.exe cmd.exe PID 640 wrote to memory of 232 640 images.exe cmd.exe PID 640 wrote to memory of 232 640 images.exe cmd.exe PID 640 wrote to memory of 232 640 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe2⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"4⤵PID:2580
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\images.exeC:\Users\Admin\AppData\Local\Temp\images.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:232
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336KB
MD5ff3d380d75da0970ca814403921a512d
SHA1bd06d7efc8946846addb9593893ac91a668d1e75
SHA2561c2437ae6ffc0eee1e868edc26540d7b1fc8992209ec776644fc8c83c83b0032
SHA5120e9fcbd1f3753a11a5745e467d630fd36077879df982d8cf98e06e08718e4d369c452c7ad8819dbdf93ad6685e2fa99ec9b059cff0c5feaf69236ad80b280f3c