Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe
-
Size
377KB
-
MD5
1768a22ad081724971c9a709488d41d3
-
SHA1
a180bfc90402a3cd3656c2a5a2ba876987e055b4
-
SHA256
93983480e656ab227ef8c96b10fa2360ca628bc34689d05d6483a87a8b3af014
-
SHA512
ee173b87e207c655990b8a26791a6150b13177786ba1bc6d04fc467bf0fdf219f996ab5d2e9599f9de323744ebc981a79f38f162051ffed5ae141a763a0564d0
-
SSDEEP
6144:vAiuocJAT7f5t3FiyvaKS9zAUNwu+Tb6Z45AqP87KW40:Yiu5Juv1iyvaKHUf+fcgzyKf0
Malware Config
Extracted
warzonerat
stoic.gleeze.com:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/2676-24-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-27-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-17-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-15-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-13-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-21-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-19-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-35-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2676-32-0x00000000026D0000-0x00000000027BE000-memory.dmp warzonerat behavioral1/memory/2000-76-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2000-74-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2000-85-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
images.exeimages.exepid process 2492 images.exe 2000 images.exe -
Loads dropped DLL 1 IoCs
Processes:
1768a22ad081724971c9a709488d41d3_JaffaCakes118.exepid process 2676 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1768a22ad081724971c9a709488d41d3_JaffaCakes118.exeimages.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Macromedia\\StikyNot.exe" 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Macromedia\\SyncHost.exe" images.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
1768a22ad081724971c9a709488d41d3_JaffaCakes118.exeimages.exedescription pid process target process PID 2216 set thread context of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 set thread context of 2628 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe svchost.exe PID 2492 set thread context of 2000 2492 images.exe images.exe PID 2492 set thread context of 2948 2492 images.exe svchost.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe1768a22ad081724971c9a709488d41d3_JaffaCakes118.exeimages.exedescription pid process target process PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2216 wrote to memory of 2676 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe PID 2676 wrote to memory of 2492 2676 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe images.exe PID 2676 wrote to memory of 2492 2676 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe images.exe PID 2676 wrote to memory of 2492 2676 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe images.exe PID 2676 wrote to memory of 2492 2676 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe images.exe PID 2216 wrote to memory of 2628 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe svchost.exe PID 2216 wrote to memory of 2628 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe svchost.exe PID 2216 wrote to memory of 2628 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe svchost.exe PID 2216 wrote to memory of 2628 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe svchost.exe PID 2216 wrote to memory of 2628 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe svchost.exe PID 2216 wrote to memory of 2628 2216 1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe svchost.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2000 2492 images.exe images.exe PID 2492 wrote to memory of 2948 2492 images.exe svchost.exe PID 2492 wrote to memory of 2948 2492 images.exe svchost.exe PID 2492 wrote to memory of 2948 2492 images.exe svchost.exe PID 2492 wrote to memory of 2948 2492 images.exe svchost.exe PID 2492 wrote to memory of 2948 2492 images.exe svchost.exe PID 2492 wrote to memory of 2948 2492 images.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵PID:2948
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD51768a22ad081724971c9a709488d41d3
SHA1a180bfc90402a3cd3656c2a5a2ba876987e055b4
SHA25693983480e656ab227ef8c96b10fa2360ca628bc34689d05d6483a87a8b3af014
SHA512ee173b87e207c655990b8a26791a6150b13177786ba1bc6d04fc467bf0fdf219f996ab5d2e9599f9de323744ebc981a79f38f162051ffed5ae141a763a0564d0