warzonerat | e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b

General

Target

128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe
Size

1.6MB
MD5

128b26f383a1f6bb071df23e1cfb82af
SHA1

c9dab1c522d5cff0defb801acf634d948384e79e
SHA256

e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b
SHA512

a2003412b7cd56e5d418de7564e00ff873235350d81e540f57be4f6eb47e001e1674be509f70b78dff1db288fa0fe9d7856b7f4ebc9ff7c94f6cbc4c55ea0b2b
SSDEEP

24576:Pj2iZXSjoekb9TXahIoFRFGM/SJLMJ3GAOxW4PLSf:ejoekb9LYIWRdSuFShPLSf

Score

10^/10

warzonerat execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

dultrasolutions.duckdns.org:7171

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000340000-0x0000000000360000-memory.dmp	warzonerat
behavioral1/memory/2696-2-0x0000000000360000-0x000000000037D000-memory.dmp	warzonerat
behavioral1/memory/2696-15-0x0000000000360000-0x000000000037D000-memory.dmp	warzonerat
behavioral1/memory/2632-20-0x00000000002B0000-0x00000000002CD000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2464 powershell.exe
1156 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2632 images.exe
Loads dropped DLL 1 IoCs

Processes:

128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe

pid process

2696 128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe

pid	process
2464	powershell.exe
1156	powershell.exe

pid	process
2632	images.exe

pid	process
2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2464 powershell.exe
1156 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2464 powershell.exe
Token: SeDebugPrivilege 1156 powershell.exe

pid	process
2464	powershell.exe
1156	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exeimages.exe

description	pid	process	target process
PID 2696 wrote to memory of 2464	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	powershell.exe
PID 2696 wrote to memory of 2464	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	powershell.exe
PID 2696 wrote to memory of 2464	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	powershell.exe
PID 2696 wrote to memory of 2464	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	powershell.exe
PID 2696 wrote to memory of 2632	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	images.exe
PID 2696 wrote to memory of 2632	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	images.exe
PID 2696 wrote to memory of 2632	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	images.exe
PID 2696 wrote to memory of 2632	2696	128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe	images.exe
PID 2632 wrote to memory of 1156	2632	images.exe	powershell.exe
PID 2632 wrote to memory of 1156	2632	images.exe	powershell.exe
PID 2632 wrote to memory of 1156	2632	images.exe	powershell.exe
PID 2632 wrote to memory of 1156	2632	images.exe	powershell.exe
PID 2632 wrote to memory of 696	2632	images.exe	cmd.exe
PID 2632 wrote to memory of 696	2632	images.exe	cmd.exe
PID 2632 wrote to memory of 696	2632	images.exe	cmd.exe
PID 2632 wrote to memory of 696	2632	images.exe	cmd.exe
PID 2632 wrote to memory of 696	2632	images.exe	cmd.exe
PID 2632 wrote to memory of 696	2632	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0ab5a236e3841289178b4f23210883f6

SHA1
d17eaea883a2a8dd57eb8a2241f39e1dd3b04737

SHA256
eeb308aa1bda9b69ee0e419eb9daaf8d3d1bba449c843702c5b9bdad8778e156

SHA512
0969fb07bbd879f1bb11acae3fb3c803cb57c2b0ba03522e95096bdfe47b935455df8ba51c79b9284cecd815855e8faac6b31c182165f73d44fdebba6c5892e7

Download Submit
\ProgramData\images.exe

Filesize
1.6MB

MD5
128b26f383a1f6bb071df23e1cfb82af

SHA1
c9dab1c522d5cff0defb801acf634d948384e79e

SHA256
e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b

SHA512
a2003412b7cd56e5d418de7564e00ff873235350d81e540f57be4f6eb47e001e1674be509f70b78dff1db288fa0fe9d7856b7f4ebc9ff7c94f6cbc4c55ea0b2b

Download Submit
memory/696-33-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/696-35-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2632-20-0x00000000002B0000-0x00000000002CD000-memory.dmp

Filesize
116KB

Download
memory/2696-0-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/2696-2-0x0000000000360000-0x000000000037D000-memory.dmp

Filesize
116KB

Download
memory/2696-15-0x0000000000360000-0x000000000037D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads