General

  • Target

    04b109f50a9104ee138fbdd41cfc7276_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240428-jhjy5aba75

  • MD5

    04b109f50a9104ee138fbdd41cfc7276

  • SHA1

    bd11260ecd885945b007622ec690a1f9d2b1aa53

  • SHA256

    e066e2e39b6046408fdc592b4f9c383d8e4facfb83dbb00baca41e07aeeae49d

  • SHA512

    0fc40a79c3e74842a975de7e79bc2c63c4d523d998fe4c65c2a0c11bd3c08f7a2daab2f4e52cc65990d19197b8f647bc30103b4cb73b28930337fab832023d2c

  • SSDEEP

    24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHq:3Ty7A3mw4gxeOw46fUbNecCCFbNecj

Malware Config

Targets

    • Target

      04b109f50a9104ee138fbdd41cfc7276_JaffaCakes118

    • Size

      2.9MB

    • MD5

      04b109f50a9104ee138fbdd41cfc7276

    • SHA1

      bd11260ecd885945b007622ec690a1f9d2b1aa53

    • SHA256

      e066e2e39b6046408fdc592b4f9c383d8e4facfb83dbb00baca41e07aeeae49d

    • SHA512

      0fc40a79c3e74842a975de7e79bc2c63c4d523d998fe4c65c2a0c11bd3c08f7a2daab2f4e52cc65990d19197b8f647bc30103b4cb73b28930337fab832023d2c

    • SSDEEP

      24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHq:3Ty7A3mw4gxeOw46fUbNecCCFbNecj

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks