Overview

overview

10

Static

static

10

FW Injector.exe

windows7-x64

10

FW Injector.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    674122f4521b5303a7a4f7943c62b2b6_JaffaCakes118

  • Size

    152KB

  • Sample

    240522-pkx7esag37

  • MD5

    674122f4521b5303a7a4f7943c62b2b6

  • SHA1

    42bdf591d3b63cbc3854a5348088c878ecb83fc4

  • SHA256

    975c1d6172c86dc4b1f58e88480df55ded6429c82ebe2e9c805dc1c43409b27a

  • SHA512

    6311011ef5bbf974234ab02055c7bf16f014bda805f608dd863e4d174e7d70937486b72421896bc42145189f02c457557e06c8e54d602616c6afce35a3357c7f

  • SSDEEP

    3072:vp0bsWYFP8ScRTdmV3O8ZS+xUS1riVfnrK+0Hf1TIZ:aYWYFPBOFiuv+J9Ti

Score
10/10
warzoneratexecutioninfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

projex0192.rapiddns.ru:5200

Targets

    • Target

      FW Injector.exe

    • Size

      262KB

    • MD5

      37f340e9d569089da4b981c0a4bb7dd4

    • SHA1

      f2b6ddbb5e0c3bc531ebacd5be15a95cc906dcc6

    • SHA256

      f6eff84cf170a15b3b8a92526b8b8dde1a916e3e22d30604d260aaeae5d4236d

    • SHA512

      4b3f74637941c01a1110a9b7116ada33acc43c6498015d185735a5b123062382d8ec66192c04631b88079b6b184e94d047ea230a2f40145da5c9b38e8fe3ca0d

    • SSDEEP

      6144:nyasL9DE0mz0hV+WcFnESvT6yZUeTv5xWxB:ny5L9vm8yZjThx

    Score
    10/10
    warzoneratexecutioninfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks