Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
87d5c387c363d12da2820e403d03c8b3
-
SHA1
5c37c95ddf2bdbf470f98088e061047f6acc506f
-
SHA256
aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746
-
SHA512
2e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a
-
SSDEEP
6144:tS7ErGlSI2izLoZKhb1xhfyC55nuvYxRRAOhVxndeCiy:U7EalzzLSKhxvf/nuvYxRRjgLy
Malware Config
Extracted
warzonerat
79.134.225.105:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2876-0-0x00000000009C0000-0x0000000000B14000-memory.dmp warzonerat behavioral1/memory/2876-7-0x0000000002580000-0x0000000003180000-memory.dmp warzonerat behavioral1/memory/2876-19-0x00000000009C0000-0x0000000000B14000-memory.dmp warzonerat behavioral1/memory/2460-23-0x00000000020C0000-0x0000000002214000-memory.dmp warzonerat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2712 powershell.exe 1500 powershell.exe -
Drops startup file 2 IoCs
Processes:
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2460 images.exe -
Loads dropped DLL 1 IoCs
Processes:
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exepid process 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe -
NTFS ADS 1 IoCs
Processes:
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exedescription ioc process File created C:\ProgramData:ApplicationData 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2712 powershell.exe 1500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exeimages.exedescription pid process target process PID 2876 wrote to memory of 2712 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 2712 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 2712 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 2712 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe powershell.exe PID 2876 wrote to memory of 2460 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe images.exe PID 2876 wrote to memory of 2460 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe images.exe PID 2876 wrote to memory of 2460 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe images.exe PID 2876 wrote to memory of 2460 2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe images.exe PID 2460 wrote to memory of 1500 2460 images.exe powershell.exe PID 2460 wrote to memory of 1500 2460 images.exe powershell.exe PID 2460 wrote to memory of 1500 2460 images.exe powershell.exe PID 2460 wrote to memory of 1500 2460 images.exe powershell.exe PID 2460 wrote to memory of 1196 2460 images.exe cmd.exe PID 2460 wrote to memory of 1196 2460 images.exe cmd.exe PID 2460 wrote to memory of 1196 2460 images.exe cmd.exe PID 2460 wrote to memory of 1196 2460 images.exe cmd.exe PID 2460 wrote to memory of 1196 2460 images.exe cmd.exe PID 2460 wrote to memory of 1196 2460 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramDataMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AQUS0T0XRP5NHLWW80NG.tempFilesize
7KB
MD54d2cf76e9d306620b7d1f7915a1d04ee
SHA1b4f8c96b366b6068927ce19535b26e530035d5fa
SHA256666f14ad635dce794d7ec4d53d1c37007759ec0cc8cff4c80a0ef891e597399a
SHA5125c811d0592366c8e1e71ecb793a557bf6d799763414a922804dc518a795971465623469f1f24454a0c81f6a24731b47530b884e31cb263ac2a30fe55fe7ffc72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD52c0632aa60b6798af4e3f2e0b5cabaed
SHA1175f24a2259a5a98479e799d3edb078cbb6365cb
SHA2562f2bd4e5df3f6a39f656f0dad17c88cbfab2cd161e46da704b515ca7551cf19c
SHA51225818671e0234fa856c7c1df2b01ff37062b9b0e56e08bd1f9227b69098eea3e4c8b7e5f6a98858b12ee5ea7bf26aaeffa39b882ac970bd982b2d061b5379a71
-
\ProgramData\images.exeFilesize
1.7MB
MD587d5c387c363d12da2820e403d03c8b3
SHA15c37c95ddf2bdbf470f98088e061047f6acc506f
SHA256aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746
SHA5122e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a
-
memory/1196-36-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1196-38-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2460-23-0x00000000020C0000-0x0000000002214000-memory.dmpFilesize
1.3MB
-
memory/2876-0-0x00000000009C0000-0x0000000000B14000-memory.dmpFilesize
1.3MB
-
memory/2876-7-0x0000000002580000-0x0000000003180000-memory.dmpFilesize
12.0MB
-
memory/2876-19-0x00000000009C0000-0x0000000000B14000-memory.dmpFilesize
1.3MB