General
-
Target
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118
-
Size
1.7MB
-
Sample
240531-wh5baafg6y
-
MD5
87d5c387c363d12da2820e403d03c8b3
-
SHA1
5c37c95ddf2bdbf470f98088e061047f6acc506f
-
SHA256
aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746
-
SHA512
2e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a
-
SSDEEP
6144:tS7ErGlSI2izLoZKhb1xhfyC55nuvYxRRAOhVxndeCiy:U7EalzzLSKhxvf/nuvYxRRjgLy
Static task
static1
Behavioral task
behavioral1
Sample
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
warzonerat
79.134.225.105:5200
Targets
-
-
Target
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118
-
Size
1.7MB
-
MD5
87d5c387c363d12da2820e403d03c8b3
-
SHA1
5c37c95ddf2bdbf470f98088e061047f6acc506f
-
SHA256
aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746
-
SHA512
2e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a
-
SSDEEP
6144:tS7ErGlSI2izLoZKhb1xhfyC55nuvYxRRAOhVxndeCiy:U7EalzzLSKhxvf/nuvYxRRjgLy
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-