warzonerat | cda918fabf2f34622ac937e0b97b218217255d3c380dd5ee630e386fd0920ac3

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
Size

858KB
MD5

3f48755a19953e9c0e5e4b7436086e3e
SHA1

6eebacf37d21aaa8b808fff8fcc97ebdd62915c3
SHA256

cda918fabf2f34622ac937e0b97b218217255d3c380dd5ee630e386fd0920ac3
SHA512

53a3c86c611452fa9fcef8ba7b33b8899e5e0fbbddf80dba66a26c0da062a2d0b704d4d7a18fadde55e9f8c594d6649988012e55157ca8095f00dcf68c67fcbf
SSDEEP

24576:uFFq+b5j65eH6Q2as94X4KzDkJkdvQmwzOP:jeaQ2Jo

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

khan041.freeddns.org:3472

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2284-76-0x0000000005800000-0x000000000581D000-memory.dmp	warzonerat
behavioral2/memory/832-85-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srcvv.Lnk cscript.exe
Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3008 images.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srcvv.Lnk	cscript.exe

pid	process
3008	images.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

description	pid	process	target process
PID 2284 set thread context of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 set thread context of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

pid	process
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2284 3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2284 wrote to memory of 4840	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	cscript.exe
PID 2284 wrote to memory of 4840	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	cscript.exe
PID 2284 wrote to memory of 4840	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	cscript.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 832	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 832 wrote to memory of 3008	832	vbc.exe	images.exe
PID 832 wrote to memory of 3008	832	vbc.exe	images.exe
PID 832 wrote to memory of 3008	832	vbc.exe	images.exe
PID 2284 wrote to memory of 1540	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 1540	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 1540	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe
PID 2284 wrote to memory of 4716	2284	3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\srcvv.vbs
2⤵
- Drops startup file
PID:4840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
PID:3008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\srcvv.vbs

Filesize
389B

MD5
7ea7aac4e9b7cae27d443ecbbb85fda9

SHA1
4c2b22c797255f88271ea34dccf7b37e55a581a2

SHA256
38a9876c1085eac11d0f29de77d73bc553741366872924b248200bf908b783a9

SHA512
e2fbeec8d02897e672187208abc282adda39a37ba79f9e4d18ffb1695dacf10eead5b860e188a09696396b38256e3ec25a025d28f964f56d08629dfc191d2e40

Download Submit
memory/832-85-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2284-51-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-92-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2284-5-0x0000000005790000-0x00000000057B8000-memory.dmp

Filesize
160KB

Download
memory/2284-48-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-24-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-30-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-72-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-70-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-76-0x0000000005800000-0x000000000581D000-memory.dmp

Filesize
116KB

Download
memory/2284-2-0x0000000005B70000-0x000000000609C000-memory.dmp

Filesize
5.2MB

Download
memory/2284-1-0x0000000000C80000-0x0000000000D5C000-memory.dmp

Filesize
880KB

Download
memory/2284-75-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/2284-68-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-66-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-64-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-62-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-60-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-44-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-56-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-54-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-52-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2284-3-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2284-4-0x0000000005730000-0x0000000005780000-memory.dmp

Filesize
320KB

Download
memory/2284-58-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-42-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-40-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-38-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-36-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-34-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-32-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-28-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-26-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-22-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-20-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-19-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-17-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-14-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-12-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-10-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-9-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-87-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2284-91-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2284-46-0x0000000005790000-0x00000000057B1000-memory.dmp

Filesize
132KB

Download
memory/2284-94-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download