General

  • Target

    02172ea8e09d4eeb8f403f757c21a926_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240427-brw12sgh8v

  • MD5

    02172ea8e09d4eeb8f403f757c21a926

  • SHA1

    2eb4532c71221ed3ee1e22454fa993a7b203ae03

  • SHA256

    4c79fac73bcb9b05344237cc93c338196599f318f59e562c4da1400b554645f5

  • SHA512

    0fbe875aef6a70fe97ee77bc0363c3553445aa333cf4d9e0404953c6d77edfb2d7c0ab69de7963da5527f093ce267fce15a95774bfd41d142faa669a0e6820b5

  • SSDEEP

    24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH/:3Ty7A3mw4gxeOw46fUbNecCCFbNec6

Malware Config

Targets

    • Target

      02172ea8e09d4eeb8f403f757c21a926_JaffaCakes118

    • Size

      2.9MB

    • MD5

      02172ea8e09d4eeb8f403f757c21a926

    • SHA1

      2eb4532c71221ed3ee1e22454fa993a7b203ae03

    • SHA256

      4c79fac73bcb9b05344237cc93c338196599f318f59e562c4da1400b554645f5

    • SHA512

      0fbe875aef6a70fe97ee77bc0363c3553445aa333cf4d9e0404953c6d77edfb2d7c0ab69de7963da5527f093ce267fce15a95774bfd41d142faa669a0e6820b5

    • SSDEEP

      24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH/:3Ty7A3mw4gxeOw46fUbNecCCFbNec6

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks