warzonerat | 92cb920a179ba20d60097dbde4cf0509c16b5fb76cc10c814678acf3484844cd

General

Target

1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
Size

829KB
MD5

1f852ea376663807f62403aa7f3e2706
SHA1

17160abf5dddab1ab19fa5c714ed582e3f3dee27
SHA256

92cb920a179ba20d60097dbde4cf0509c16b5fb76cc10c814678acf3484844cd
SHA512

a810fd7eb4907efdad5db2501a0f1212ee48ca0ec27808937866c0a0e5fdb11e74d8c3a7d70826aef891a78da7640f496fe46a3511ad9ced9fcaf644169fa350
SSDEEP

12288:3p2cqiK+Kr8PNjpKJjqo5TQZyf7SBNiQb05gQMhMLhOj0qtOS/d82:3tQ7sNkj5Iig1abOX

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

bestsuccess.ddns.net:2442

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1912-4-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1912-7-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1912-8-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1912-19-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2668-31-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

notepad.exenotepad.exe

pid process

2556 notepad.exe
2668 notepad.exe
Loads dropped DLL 3 IoCs

Processes:

1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exe

pid process

1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
1912 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
2556 notepad.exe

pid	process
2556	notepad.exe
2668	notepad.exe

pid	process
1912	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
1912	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
2556	notepad.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\ProgramData\\notepad.exe"	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exe

description	pid	process	target process
PID 3020 set thread context of 1912	3020	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
PID 2556 set thread context of 2668	2556	notepad.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exe

pid process

3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
2556 notepad.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exe

pid process

3020 1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
2556 notepad.exe

pid	process
3020	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
2556	notepad.exe

pid	process
3020	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
2556	notepad.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exenotepad.exe

description	pid	process	target process
PID 3020 wrote to memory of 1912	3020	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
PID 3020 wrote to memory of 1912	3020	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
PID 3020 wrote to memory of 1912	3020	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
PID 3020 wrote to memory of 1912	3020	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
PID 1912 wrote to memory of 2556	1912	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	notepad.exe
PID 1912 wrote to memory of 2556	1912	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	notepad.exe
PID 1912 wrote to memory of 2556	1912	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	notepad.exe
PID 1912 wrote to memory of 2556	1912	1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe	notepad.exe
PID 2556 wrote to memory of 2668	2556	notepad.exe	notepad.exe
PID 2556 wrote to memory of 2668	2556	notepad.exe	notepad.exe
PID 2556 wrote to memory of 2668	2556	notepad.exe	notepad.exe
PID 2556 wrote to memory of 2668	2556	notepad.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f852ea376663807f62403aa7f3e2706_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1912

C:\ProgramData\notepad.exe
"C:\ProgramData\notepad.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2556

C:\ProgramData\notepad.exe
"C:\ProgramData\notepad.exe"
4⤵
- Executes dropped EXE
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\notepad.exe

Filesize
829KB

MD5
1f852ea376663807f62403aa7f3e2706

SHA1
17160abf5dddab1ab19fa5c714ed582e3f3dee27

SHA256
92cb920a179ba20d60097dbde4cf0509c16b5fb76cc10c814678acf3484844cd

SHA512
a810fd7eb4907efdad5db2501a0f1212ee48ca0ec27808937866c0a0e5fdb11e74d8c3a7d70826aef891a78da7640f496fe46a3511ad9ced9fcaf644169fa350

Download Submit
memory/1912-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1912-4-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1912-7-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1912-8-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2556-20-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2556-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2668-32-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2668-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2668-31-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3020-2-0x0000000001E50000-0x0000000001E62000-memory.dmp

Filesize
72KB

Download
memory/3020-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3020-3-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/3020-5-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3020-1-0x0000000001E50000-0x0000000001E62000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads