General

  • Target

    04a4ba459e75ca4cb5c2362e2f54e020_JaffaCakes118

  • Size

    2.7MB

  • Sample

    240428-hypzmsaf28

  • MD5

    04a4ba459e75ca4cb5c2362e2f54e020

  • SHA1

    c699ab7d3b48920048542ee9557e3aedecf6c843

  • SHA256

    d2f670f8367db46b5397f88e550f22a640e3557d5ce8dd557eda4d50db31c7b2

  • SHA512

    175f180023376638d0bbffd2a25f71c74248100d0f6b4504c22acc18427344c2f4b2feb96ee8ebf88368c7e7cff2c45b7dfd3d1d2268d6ca5b9924ef4a09d45b

  • SSDEEP

    24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81R:fF6mw4gxeOw46fUbNecCCFbNecP

Malware Config

Targets

    • Target

      04a4ba459e75ca4cb5c2362e2f54e020_JaffaCakes118

    • Size

      2.7MB

    • MD5

      04a4ba459e75ca4cb5c2362e2f54e020

    • SHA1

      c699ab7d3b48920048542ee9557e3aedecf6c843

    • SHA256

      d2f670f8367db46b5397f88e550f22a640e3557d5ce8dd557eda4d50db31c7b2

    • SHA512

      175f180023376638d0bbffd2a25f71c74248100d0f6b4504c22acc18427344c2f4b2feb96ee8ebf88368c7e7cff2c45b7dfd3d1d2268d6ca5b9924ef4a09d45b

    • SSDEEP

      24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81R:fF6mw4gxeOw46fUbNecCCFbNecP

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks