Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 04:59
Static task
static1
Behavioral task
behavioral1
Sample
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
-
Size
829KB
-
MD5
1f852ea376663807f62403aa7f3e2706
-
SHA1
17160abf5dddab1ab19fa5c714ed582e3f3dee27
-
SHA256
92cb920a179ba20d60097dbde4cf0509c16b5fb76cc10c814678acf3484844cd
-
SHA512
a810fd7eb4907efdad5db2501a0f1212ee48ca0ec27808937866c0a0e5fdb11e74d8c3a7d70826aef891a78da7640f496fe46a3511ad9ced9fcaf644169fa350
-
SSDEEP
12288:3p2cqiK+Kr8PNjpKJjqo5TQZyf7SBNiQb05gQMhMLhOj0qtOS/d82:3tQ7sNkj5Iig1abOX
Malware Config
Extracted
warzonerat
bestsuccess.ddns.net:2442
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1912-4-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1912-7-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1912-8-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1912-19-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2668-31-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2668-30-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2668-32-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
notepad.exenotepad.exepid process 2556 notepad.exe 2668 notepad.exe -
Loads dropped DLL 3 IoCs
Processes:
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exepid process 1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 2556 notepad.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\ProgramData\\notepad.exe" 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exedescription pid process target process PID 3020 set thread context of 1912 3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe PID 2556 set thread context of 2668 2556 notepad.exe notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exepid process 3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 2556 notepad.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exepid process 3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 2556 notepad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exedescription pid process target process PID 3020 wrote to memory of 1912 3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe PID 3020 wrote to memory of 1912 3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe PID 3020 wrote to memory of 1912 3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe PID 3020 wrote to memory of 1912 3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe PID 1912 wrote to memory of 2556 1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe notepad.exe PID 1912 wrote to memory of 2556 1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe notepad.exe PID 1912 wrote to memory of 2556 1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe notepad.exe PID 1912 wrote to memory of 2556 1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe notepad.exe PID 2556 wrote to memory of 2668 2556 notepad.exe notepad.exe PID 2556 wrote to memory of 2668 2556 notepad.exe notepad.exe PID 2556 wrote to memory of 2668 2556 notepad.exe notepad.exe PID 2556 wrote to memory of 2668 2556 notepad.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\ProgramData\notepad.exe"C:\ProgramData\notepad.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\ProgramData\notepad.exe"C:\ProgramData\notepad.exe"4⤵
- Executes dropped EXE
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD51f852ea376663807f62403aa7f3e2706
SHA117160abf5dddab1ab19fa5c714ed582e3f3dee27
SHA25692cb920a179ba20d60097dbde4cf0509c16b5fb76cc10c814678acf3484844cd
SHA512a810fd7eb4907efdad5db2501a0f1212ee48ca0ec27808937866c0a0e5fdb11e74d8c3a7d70826aef891a78da7640f496fe46a3511ad9ced9fcaf644169fa350