warzonerat | cda918fabf2f34622ac937e0b97b218217255d3c380dd5ee630e386fd0920ac3

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
Size

858KB
MD5

3f48755a19953e9c0e5e4b7436086e3e
SHA1

6eebacf37d21aaa8b808fff8fcc97ebdd62915c3
SHA256

cda918fabf2f34622ac937e0b97b218217255d3c380dd5ee630e386fd0920ac3
SHA512

53a3c86c611452fa9fcef8ba7b33b8899e5e0fbbddf80dba66a26c0da062a2d0b704d4d7a18fadde55e9f8c594d6649988012e55157ca8095f00dcf68c67fcbf
SSDEEP

24576:uFFq+b5j65eH6Q2as94X4KzDkJkdvQmwzOP:jeaQ2Jo

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2428-74-0x0000000002090000-0x00000000020AD000-memory.dmp	warzonerat

Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srcvv.Lnk cscript.exe
Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2240 images.exe
Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

2688 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srcvv.Lnk	cscript.exe

pid	process
2240	images.exe

pid	process
2688	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

description	pid	process	target process
PID 2428 set thread context of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 set thread context of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

pid	process
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2428 3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2428 wrote to memory of 2984	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	cscript.exe
PID 2428 wrote to memory of 2984	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	cscript.exe
PID 2428 wrote to memory of 2984	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	cscript.exe
PID 2428 wrote to memory of 2984	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	cscript.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 2688	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2688 wrote to memory of 2240	2688	vbc.exe	images.exe
PID 2688 wrote to memory of 2240	2688	vbc.exe	images.exe
PID 2688 wrote to memory of 2240	2688	vbc.exe	images.exe
PID 2688 wrote to memory of 2240	2688	vbc.exe	images.exe
PID 2428 wrote to memory of 1796	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1796	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1796	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1796	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2428 wrote to memory of 1756	2428	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\srcvv.vbs
2⤵
- Drops startup file
PID:2984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
PID:2240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\srcvv.vbs

Filesize
389B

MD5
7ea7aac4e9b7cae27d443ecbbb85fda9

SHA1
4c2b22c797255f88271ea34dccf7b37e55a581a2

SHA256
38a9876c1085eac11d0f29de77d73bc553741366872924b248200bf908b783a9

SHA512
e2fbeec8d02897e672187208abc282adda39a37ba79f9e4d18ffb1695dacf10eead5b860e188a09696396b38256e3ec25a025d28f964f56d08629dfc191d2e40

Download Submit
\ProgramData\images.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2428-47-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-71-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-4-0x00000000003C0000-0x00000000003E8000-memory.dmp

Filesize
160KB

Download
memory/2428-43-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-57-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-39-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-27-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-41-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-69-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-67-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-65-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-63-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-61-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-59-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-55-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-53-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-51-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-49-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

Filesize
4KB

Download
memory/2428-45-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-3-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-2-0x00000000006A0000-0x00000000006F0000-memory.dmp

Filesize
320KB

Download
memory/2428-8-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-37-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-35-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-33-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-31-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-29-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-25-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-23-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-21-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-19-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-17-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-15-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-13-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-11-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-9-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2428-74-0x0000000002090000-0x00000000020AD000-memory.dmp

Filesize
116KB

Download
memory/2428-1-0x00000000003F0000-0x00000000004CC000-memory.dmp

Filesize
880KB

Download
memory/2428-118-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

Filesize
4KB

Download
memory/2428-120-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download