Overview

overview

10

Static

static

3

2bc2e9be1b...18.exe

windows7-x64

10

2bc2e9be1b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bc2e9be1b54bd6742b8e9e3d9968f2b_JaffaCakes118.exe

  • Size

    833KB

  • MD5

    2bc2e9be1b54bd6742b8e9e3d9968f2b

  • SHA1

    da25c96686ce15f7e19a251f48260f4683df15e5

  • SHA256

    71435231f2c9636b8286fbc31f59a95fc8a2f9a598525f4c9c65c7b1f6c3c634

  • SHA512

    1c014b69662c30dc2537932d5a28531772083360b0e183a054f4e45fdfb04011b433150365ad05bfd0fd17a560cb50bc9f915d0b9d07d293e035689591cfc9df

  • SSDEEP

    12288:Lb6mCM9sXHh9BoRPqsxOVKuS5r70xwgeqh043L97/hO4pbYnx:6eSHhYRRxOVGcxJBdb1xix

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

bestsuccess.ddns.net:2442

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 7 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bc2e9be1b54bd6742b8e9e3d9968f2b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2bc2e9be1b54bd6742b8e9e3d9968f2b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\2bc2e9be1b54bd6742b8e9e3d9968f2b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2bc2e9be1b54bd6742b8e9e3d9968f2b_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\ProgramData\notepad.exe
        "C:\ProgramData\notepad.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\ProgramData\notepad.exe
          "C:\ProgramData\notepad.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\notepad.exe
      Filesize

      833KB

      MD5

      2bc2e9be1b54bd6742b8e9e3d9968f2b

      SHA1

      da25c96686ce15f7e19a251f48260f4683df15e5

      SHA256

      71435231f2c9636b8286fbc31f59a95fc8a2f9a598525f4c9c65c7b1f6c3c634

      SHA512

      1c014b69662c30dc2537932d5a28531772083360b0e183a054f4e45fdfb04011b433150365ad05bfd0fd17a560cb50bc9f915d0b9d07d293e035689591cfc9df

      Download Submit

    • memory/1740-7-0x0000000000400000-0x00000000004D6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/1740-1-0x0000000003F60000-0x0000000003F70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1740-2-0x0000000003F60000-0x0000000003F70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1740-3-0x0000000003F80000-0x0000000003F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1740-0-0x0000000002270000-0x0000000002271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2360-22-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2360-24-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2360-27-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2532-25-0x00000000006D0000-0x00000000006D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3180-6-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3180-8-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3180-12-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3180-4-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3540-15-0x0000000000400000-0x00000000004D6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/3540-20-0x0000000000400000-0x00000000004D6000-memory.dmp

      Filesize

      856KB

      Download