General
-
Target
86d9ef3aa6cb9569f4fd5bc4f5018f41JaffaCakes118
-
Size
1.8MB
-
Sample
240531-pqsh5ahf29
-
MD5
86d9ef3aa6cb9569f4fd5bc4f5018f41
-
SHA1
c0bc641f9dceebe458487071eb65d8f1c12c1180
-
SHA256
8f0dfe1d2a2dbb617fff7710e2032d6c633d6fb05ae4bb3d28650ee8ce75d61b
-
SHA512
6a98164c26822708914b7d3cc4660278f895aa71a5ebf9540f008e27362c7e1236b2bf8a239caef6d63a0108ea5903faceba1aabf7ed62a6d3e7b741e39c065e
-
SSDEEP
12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDgi:r1gg4CppEI6GGfWDkCQDbGV6eH81kr
Malware Config
Targets
-
-
Target
86d9ef3aa6cb9569f4fd5bc4f5018f41JaffaCakes118
-
Size
1.8MB
-
MD5
86d9ef3aa6cb9569f4fd5bc4f5018f41
-
SHA1
c0bc641f9dceebe458487071eb65d8f1c12c1180
-
SHA256
8f0dfe1d2a2dbb617fff7710e2032d6c633d6fb05ae4bb3d28650ee8ce75d61b
-
SHA512
6a98164c26822708914b7d3cc4660278f895aa71a5ebf9540f008e27362c7e1236b2bf8a239caef6d63a0108ea5903faceba1aabf7ed62a6d3e7b741e39c065e
-
SSDEEP
12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDgi:r1gg4CppEI6GGfWDkCQDbGV6eH81kr
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1