warzonerat | b4a35f66e90a5bea67465417218ba17e6a42f47c53c9189dc8d5b4d1f0b5e02c

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe
Size

422KB
MD5

886cb9c0df6523d759541346d1311b65
SHA1

49f893a1785749b52c0a962bf4fbc2118e619bc3
SHA256

b4a35f66e90a5bea67465417218ba17e6a42f47c53c9189dc8d5b4d1f0b5e02c
SHA512

b5055d5f8381d34756740eed7b0ab59aaf34cc19d821ad876a5e9398077e2d6db68d871959095a47b9a80a5b22f53f342aec1d5673a2ad5e18835c28f33e4164
SSDEEP

6144:0/CV5z8JYlRVHZPho49VKiEg5VcW0vt9SlE8y:0ez5lHZ5o49pESclt9SNy

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

rebelxxd2.publicvm.com:1998

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3364-18-0x0000000003D30000-0x0000000003D4D000-memory.dmp	warzonerat
behavioral2/memory/3364-26-0x00000000036E0000-0x00000000037E0000-memory.dmp	warzonerat
behavioral2/memory/3364-30-0x0000000003D30000-0x0000000003D4D000-memory.dmp	warzonerat
behavioral2/memory/3324-46-0x0000000003CA0000-0x0000000003CBD000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3324 images.exe

pid	process
3324	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe

description	pid	process	target process
PID 3364 wrote to memory of 3324	3364	886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe	images.exe
PID 3364 wrote to memory of 3324	3364	886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe	images.exe
PID 3364 wrote to memory of 3324	3364	886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\886cb9c0df6523d759541346d1311b65_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
PID:3324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
422KB

MD5
886cb9c0df6523d759541346d1311b65

SHA1
49f893a1785749b52c0a962bf4fbc2118e619bc3

SHA256
b4a35f66e90a5bea67465417218ba17e6a42f47c53c9189dc8d5b4d1f0b5e02c

SHA512
b5055d5f8381d34756740eed7b0ab59aaf34cc19d821ad876a5e9398077e2d6db68d871959095a47b9a80a5b22f53f342aec1d5673a2ad5e18835c28f33e4164

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
e761947edb1c261e10d09a19e311430a

SHA1
9c3b4ac61aaab7ef2def86e8e156c00580f5852d

SHA256
c9efb2656ea070820e0a3c464ea14abb078ad357ec57b8694f49d2149b132473

SHA512
cfb80e152f87e470ff50dbca6099ac11c0785c1f602bd6d40ff947e29d021bffeac754df266133554e6d604be040537d3499ff24886ecded2c387cfa2d5c02f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_63F40B816FCC2D8AE14321B58D77EB6D
Filesize
471B

MD5
59247ebfa3adb49d20b4202a3d151ade

SHA1
409eeb3ef50ea9d08681465a392061e02253dd74

SHA256
39e93da8d69d08ab66e314470c93f7035568d9d5b521cfc4af9bb02c1089410c

SHA512
dbab9f5763dc37d813e7dbd111ea46f4686740d874210b4128afc262f7ea02f8a34973ccf4078f5f379049f3c7acbae7ca16f21756db4e97c4563b04b27f4a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301
Filesize
472B

MD5
d163fe5abb63a1e5a1569548a8809a38

SHA1
35f4cff535ba1519092eafde9f6cb9faf409f3f1

SHA256
aea13aa2eb2dee1c4c7a14667ba1596a3a564c1fbde45adde43fad97749315bf

SHA512
6bff9722258eec0b227915d55b9da7740827740d45b092373bf6c44127d7891879519e563bb2fbc3faed3ac8c64356c0ced4d132d4a22e829e20951ad8d0ee18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
9867b38ea2148b2750ae9498e292e234

SHA1
515e0db162ffb3046208fc3d2627cbe3daf915be

SHA256
1edf6601633e1df55c5a55808d7213fc42bc720c957f90c6ffae7cd30afe0e54

SHA512
48d2bd8c10b91fd32b34c1dd957afa73ef6fc3f31df4bf4009f3782b7fdcc2f7ef5a31b2a2e1c7e28334b675a0a7bf52610c33f6792b45deca0446fc66037d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
46d9a081174561d26bb25d07e1d0c0ef

SHA1
32712bad40f35402f4111bfb59bb049a8af57e0f

SHA256
2dcd1e1b510e0af68d76036a9ae4a3eabe5450fcd5cbc72c7b1a8db723302edf

SHA512
11327869f29004ba3dd77e07fc14f61d2788f05564f32ed93266d0a48046b3fac964a4de94fef6b5ea3d547442fefb87adbbe7b5436379caa95f68795a355762

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_63F40B816FCC2D8AE14321B58D77EB6D
Filesize
406B

MD5
a364ea05201ba25fe50146c410a70e34

SHA1
52b42c654d8775522c982566ffec0840d0d04128

SHA256
4206079bdd94adeb181e64617569317a30a59e5b08d4dd6c9ed3f85a2113c45c

SHA512
fd7a7257f03e53574424125a799d7c678272a841ff0471619a26d67f9b87e03d3dd6a78b09761752e7bacef9d7996c5ebe52c87c370edeed88aaf246f42b9bbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301
Filesize
402B

MD5
4b6c890cb5885ab7943f33c004b0202f

SHA1
f0260c3778bd4cfce122c40ad24c5fdee271a038

SHA256
7dd2f231a6e671729703dbb947cb0e431b2379b835c687633a00bca3d49c332a

SHA512
2becfa46b6835e765cc9add9e6df2f26c13772e7971061afe372f8b32d6aa2eb90380b6cbf1cedfd15f647226e2ec2e801569199f1863ba626d20a8e433c184c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\0WBEFJ96.htm
Filesize
220B

MD5
276bbb20c29087e88db63899fd8f9129

SHA1
b52854d1f79de5ebeebf0160447a09c7a8c2cde4

SHA256
5b61b0c2032b4aa9519d65cc98c6416c12415e02c7fbbaa1be5121dc75162edb

SHA512
aeb2fe0c7ac516a41d931344767e8d7b7da418c35970a27eaa8ccfb89d28b36a44bb6db6fe28c192e0ed994d6a61463f132b86ddd246230acc7af28f083ed2bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\U2VYNY4A.htm
Filesize
40KB

MD5
1209b45fbf238052328f5cf0c5f47d2c

SHA1
fed75fb62aef4b274ef50441c48c749e82c2c34a

SHA256
12c0bee39c941b75d7715ffa9d81869acac1740e2f108097a3efaaa2b2c92eb7

SHA512
4f6203a6b507839fdad6a67544d0e54b09c5e36a65e2eb9dfc8ad69b96145fd37967931e0e5f6e586859abfc06bd0d754beeae58fd5f2929d39c43c6987fb083

Download Submit
memory/3324-46-0x0000000003CA0000-0x0000000003CBD000-memory.dmp

Filesize
116KB

Download
memory/3324-54-0x0000000000C60000-0x0000000000D60000-memory.dmp

Filesize
1024KB

Download
memory/3324-55-0x0000000000C60000-0x0000000000D60000-memory.dmp

Filesize
1024KB

Download
memory/3364-30-0x0000000003D30000-0x0000000003D4D000-memory.dmp

Filesize
116KB

Download
memory/3364-18-0x0000000003D30000-0x0000000003D4D000-memory.dmp

Filesize
116KB

Download
memory/3364-26-0x00000000036E0000-0x00000000037E0000-memory.dmp

Filesize
1024KB

Download