warzonerat | 02a3ceb7d6cee34f757b010560d78195fb712de8a6eeba23c6dc0263925a939d

General

Target

655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe
Size

1.7MB
MD5

655f0656e49f279b523df95033b25dbf
SHA1

8e80aba7262ed142fbe2b13a96605742fc9765c1
SHA256

02a3ceb7d6cee34f757b010560d78195fb712de8a6eeba23c6dc0263925a939d
SHA512

05b0156edb92d3b98765439c56df0d5c5627ea69ae1b4b338797e07e96f268c8b139ec3244e99e96753e54b762be7d48ecbd13d7c72717105c7a4ca5e780c6c8
SSDEEP

6144:tS7ErGlSI2izLoZKhb1xhfyC55nuvYxRRAOhVxPdeCiy:U7EalzzLSKhxvf/nuvYxRRLgLy

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.86:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1904-0-0x00000000009B0000-0x0000000000B04000-memory.dmp	warzonerat
behavioral1/memory/1904-7-0x0000000002340000-0x0000000002F40000-memory.dmp	warzonerat
behavioral1/memory/1904-18-0x00000000009B0000-0x0000000000B04000-memory.dmp	warzonerat
behavioral1/memory/2740-24-0x0000000000A40000-0x0000000000B94000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2508 powershell.exe
2560 powershell.exe

pid	process
2508	powershell.exe
2560	powershell.exe

Drops startup file 2 IoCs

Processes:

655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2740 images.exe
Loads dropped DLL 1 IoCs

Processes:

655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

pid process

1904 655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

pid	process
2740	images.exe

pid	process
1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
NTFS ADS 1 IoCs

Processes:

655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

description ioc process

File created C:\ProgramData:ApplicationData 655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2560 powershell.exe
2508 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2560 powershell.exe
Token: SeDebugPrivilege 2508 powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe

pid	process
2560	powershell.exe
2508	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

655f0656e49f279b523df95033b25dbf_JaffaCakes118.exeimages.exe

description	pid	process	target process
PID 1904 wrote to memory of 2560	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	powershell.exe
PID 1904 wrote to memory of 2560	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	powershell.exe
PID 1904 wrote to memory of 2560	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	powershell.exe
PID 1904 wrote to memory of 2560	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	powershell.exe
PID 1904 wrote to memory of 2740	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	images.exe
PID 1904 wrote to memory of 2740	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	images.exe
PID 1904 wrote to memory of 2740	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	images.exe
PID 1904 wrote to memory of 2740	1904	655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe	images.exe
PID 2740 wrote to memory of 2508	2740	images.exe	powershell.exe
PID 2740 wrote to memory of 2508	2740	images.exe	powershell.exe
PID 2740 wrote to memory of 2508	2740	images.exe	powershell.exe
PID 2740 wrote to memory of 2508	2740	images.exe	powershell.exe
PID 2740 wrote to memory of 2004	2740	images.exe	cmd.exe
PID 2740 wrote to memory of 2004	2740	images.exe	cmd.exe
PID 2740 wrote to memory of 2004	2740	images.exe	cmd.exe
PID 2740 wrote to memory of 2004	2740	images.exe	cmd.exe
PID 2740 wrote to memory of 2004	2740	images.exe	cmd.exe
PID 2740 wrote to memory of 2004	2740	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\655f0656e49f279b523df95033b25dbf_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe

Filesize
1.7MB

MD5
655f0656e49f279b523df95033b25dbf

SHA1
8e80aba7262ed142fbe2b13a96605742fc9765c1

SHA256
02a3ceb7d6cee34f757b010560d78195fb712de8a6eeba23c6dc0263925a939d

SHA512
05b0156edb92d3b98765439c56df0d5c5627ea69ae1b4b338797e07e96f268c8b139ec3244e99e96753e54b762be7d48ecbd13d7c72717105c7a4ca5e780c6c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6b00bb25471070461940771d1029536a

SHA1
6de4cce2f09e659cc96154b59a1b3b624a83b7cd

SHA256
79b11ad7b92a6be6511155f3d0a98ac3aeda3811312f8cfb8e42e18e7cbbe1c0

SHA512
92c87085e60e3e737119d7f699fb30854ff1b40cb991b9e15f42ee9a8e2851d06d350cc311ac2a45fd9a814f3b0885a2c172e9e9d655d30c8f5fe1382cbd9e7d

Download Submit
memory/1904-0-0x00000000009B0000-0x0000000000B04000-memory.dmp

Filesize
1.3MB

Download
memory/1904-7-0x0000000002340000-0x0000000002F40000-memory.dmp

Filesize
12.0MB

Download
memory/1904-18-0x00000000009B0000-0x0000000000B04000-memory.dmp

Filesize
1.3MB

Download
memory/2004-39-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2004-37-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2740-24-0x0000000000A40000-0x0000000000B94000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads