General

  • Target

    047174833d82a08e6708f763dc2e9509_JaffaCakes118

  • Size

    1.8MB

  • Sample

    240428-fvheaagg68

  • MD5

    047174833d82a08e6708f763dc2e9509

  • SHA1

    2c838c06317501037fdf9642283b54e3fa553522

  • SHA256

    81e2235db13544d9c1b41dfe49aeeae18f9410b01f125522f1be5adde02b98fd

  • SHA512

    54c7e6a54f66c5c581b88b4c418a598be76c3f6f5681a30314ce0d4c32dfc50098eeb8e905ccc708ff0c020dcb217a6da5c229e017d70e9c60947fe0470cd0c9

  • SSDEEP

    12288:c99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgg:o1gg4CppEI6GGfWDkMQDbGV6eH8tkz

Malware Config

Targets

    • Target

      047174833d82a08e6708f763dc2e9509_JaffaCakes118

    • Size

      1.8MB

    • MD5

      047174833d82a08e6708f763dc2e9509

    • SHA1

      2c838c06317501037fdf9642283b54e3fa553522

    • SHA256

      81e2235db13544d9c1b41dfe49aeeae18f9410b01f125522f1be5adde02b98fd

    • SHA512

      54c7e6a54f66c5c581b88b4c418a598be76c3f6f5681a30314ce0d4c32dfc50098eeb8e905ccc708ff0c020dcb217a6da5c229e017d70e9c60947fe0470cd0c9

    • SSDEEP

      12288:c99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgg:o1gg4CppEI6GGfWDkMQDbGV6eH8tkz

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks