Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 11:32
Static task
static1
Behavioral task
behavioral1
Sample
128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
128b26f383a1f6bb071df23e1cfb82af
-
SHA1
c9dab1c522d5cff0defb801acf634d948384e79e
-
SHA256
e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b
-
SHA512
a2003412b7cd56e5d418de7564e00ff873235350d81e540f57be4f6eb47e001e1674be509f70b78dff1db288fa0fe9d7856b7f4ebc9ff7c94f6cbc4c55ea0b2b
-
SSDEEP
24576:Pj2iZXSjoekb9TXahIoFRFGM/SJLMJ3GAOxW4PLSf:ejoekb9LYIWRdSuFShPLSf
Malware Config
Extracted
warzonerat
dultrasolutions.duckdns.org:7171
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2696-0-0x0000000000340000-0x0000000000360000-memory.dmp warzonerat behavioral1/memory/2696-2-0x0000000000360000-0x000000000037D000-memory.dmp warzonerat behavioral1/memory/2696-15-0x0000000000360000-0x000000000037D000-memory.dmp warzonerat behavioral1/memory/2632-20-0x00000000002B0000-0x00000000002CD000-memory.dmp warzonerat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2464 powershell.exe 1156 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2632 images.exe -
Loads dropped DLL 1 IoCs
Processes:
128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exepid process 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2464 powershell.exe 1156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 1156 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exeimages.exedescription pid process target process PID 2696 wrote to memory of 2464 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe powershell.exe PID 2696 wrote to memory of 2464 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe powershell.exe PID 2696 wrote to memory of 2464 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe powershell.exe PID 2696 wrote to memory of 2464 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe powershell.exe PID 2696 wrote to memory of 2632 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe images.exe PID 2696 wrote to memory of 2632 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe images.exe PID 2696 wrote to memory of 2632 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe images.exe PID 2696 wrote to memory of 2632 2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe images.exe PID 2632 wrote to memory of 1156 2632 images.exe powershell.exe PID 2632 wrote to memory of 1156 2632 images.exe powershell.exe PID 2632 wrote to memory of 1156 2632 images.exe powershell.exe PID 2632 wrote to memory of 1156 2632 images.exe powershell.exe PID 2632 wrote to memory of 696 2632 images.exe cmd.exe PID 2632 wrote to memory of 696 2632 images.exe cmd.exe PID 2632 wrote to memory of 696 2632 images.exe cmd.exe PID 2632 wrote to memory of 696 2632 images.exe cmd.exe PID 2632 wrote to memory of 696 2632 images.exe cmd.exe PID 2632 wrote to memory of 696 2632 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50ab5a236e3841289178b4f23210883f6
SHA1d17eaea883a2a8dd57eb8a2241f39e1dd3b04737
SHA256eeb308aa1bda9b69ee0e419eb9daaf8d3d1bba449c843702c5b9bdad8778e156
SHA5120969fb07bbd879f1bb11acae3fb3c803cb57c2b0ba03522e95096bdfe47b935455df8ba51c79b9284cecd815855e8faac6b31c182165f73d44fdebba6c5892e7
-
Filesize
1.6MB
MD5128b26f383a1f6bb071df23e1cfb82af
SHA1c9dab1c522d5cff0defb801acf634d948384e79e
SHA256e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b
SHA512a2003412b7cd56e5d418de7564e00ff873235350d81e540f57be4f6eb47e001e1674be509f70b78dff1db288fa0fe9d7856b7f4ebc9ff7c94f6cbc4c55ea0b2b