General
-
Target
1c2b71c939c4e219705fb50fbb967add_JaffaCakes118
-
Size
2.9MB
-
Sample
240506-m272vach44
-
MD5
1c2b71c939c4e219705fb50fbb967add
-
SHA1
2a35841e5681db50e1266e5b6087a65bd599dbbf
-
SHA256
79a43e569acfa06d5c941662ec175dca9e4775a8682b8ebf8e4bbcdb29d0a0ac
-
SHA512
bc2541cfbdfb2e63d5d0dc751b87265f500b336a79bfb5a31e23cf77a6eddabf12046989fdfcbfc2368171b1d38685431d071d8951a98d6f3f989ac16400b263
-
SSDEEP
24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHL:ATU7AAmw4gxeOw46fUbNecCCFbNec6
Behavioral task
behavioral1
Sample
1c2b71c939c4e219705fb50fbb967add_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1c2b71c939c4e219705fb50fbb967add_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Targets
-
-
Target
1c2b71c939c4e219705fb50fbb967add_JaffaCakes118
-
Size
2.9MB
-
MD5
1c2b71c939c4e219705fb50fbb967add
-
SHA1
2a35841e5681db50e1266e5b6087a65bd599dbbf
-
SHA256
79a43e569acfa06d5c941662ec175dca9e4775a8682b8ebf8e4bbcdb29d0a0ac
-
SHA512
bc2541cfbdfb2e63d5d0dc751b87265f500b336a79bfb5a31e23cf77a6eddabf12046989fdfcbfc2368171b1d38685431d071d8951a98d6f3f989ac16400b263
-
SSDEEP
24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHL:ATU7AAmw4gxeOw46fUbNecCCFbNec6
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4