General

  • Target

    05acd96f3b078b5457fa5d75fd9c4031_JaffaCakes118

  • Size

    2.7MB

  • Sample

    240428-vpfe3acg41

  • MD5

    05acd96f3b078b5457fa5d75fd9c4031

  • SHA1

    329634aea8ef821953547ccbae0bd28e40fd3e5e

  • SHA256

    dedec45c96601d5e4ffbb4520bec73a729e4f291e8fa0a40b067c600667c02cb

  • SHA512

    0baea9f30bdf19ebf8814809b6648f4158ee8cf2a0d0e2fe8b3398d3eb884e6d6efe235660d0f4375e750789d697c9e11f7103a3a3ac4f50778d73450f103f84

  • SSDEEP

    24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH813:fF6mw4gxeOw46fUbNecCCFbNecF

Malware Config

Targets

    • Target

      05acd96f3b078b5457fa5d75fd9c4031_JaffaCakes118

    • Size

      2.7MB

    • MD5

      05acd96f3b078b5457fa5d75fd9c4031

    • SHA1

      329634aea8ef821953547ccbae0bd28e40fd3e5e

    • SHA256

      dedec45c96601d5e4ffbb4520bec73a729e4f291e8fa0a40b067c600667c02cb

    • SHA512

      0baea9f30bdf19ebf8814809b6648f4158ee8cf2a0d0e2fe8b3398d3eb884e6d6efe235660d0f4375e750789d697c9e11f7103a3a3ac4f50778d73450f103f84

    • SSDEEP

      24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH813:fF6mw4gxeOw46fUbNecCCFbNecF

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks