warzonerat | aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746

General

Target

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
Size

1.7MB
MD5

87d5c387c363d12da2820e403d03c8b3
SHA1

5c37c95ddf2bdbf470f98088e061047f6acc506f
SHA256

aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746
SHA512

2e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a
SSDEEP

6144:tS7ErGlSI2izLoZKhb1xhfyC55nuvYxRRAOhVxndeCiy:U7EalzzLSKhxvf/nuvYxRRjgLy

Score

10^/10

warzonerat execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.105:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2876-0-0x00000000009C0000-0x0000000000B14000-memory.dmp	warzonerat
behavioral1/memory/2876-7-0x0000000002580000-0x0000000003180000-memory.dmp	warzonerat
behavioral1/memory/2876-19-0x00000000009C0000-0x0000000000B14000-memory.dmp	warzonerat
behavioral1/memory/2460-23-0x00000000020C0000-0x0000000002214000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2712 powershell.exe
1500 powershell.exe

pid	process
2712	powershell.exe
1500	powershell.exe

Drops startup file 2 IoCs

Processes:

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2460 images.exe
Loads dropped DLL 1 IoCs

Processes:

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

pid process

2876 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

pid	process
2460	images.exe

pid	process
2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

NTFS ADS 1 IoCs

Processes:

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

description ioc process

File created C:\ProgramData:ApplicationData 87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2712 powershell.exe
1500 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2712 powershell.exe
Token: SeDebugPrivilege 1500 powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

pid	process
2712	powershell.exe
1500	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exeimages.exe

description	pid	process	target process
PID 2876 wrote to memory of 2712	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	powershell.exe
PID 2876 wrote to memory of 2712	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	powershell.exe
PID 2876 wrote to memory of 2712	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	powershell.exe
PID 2876 wrote to memory of 2712	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	powershell.exe
PID 2876 wrote to memory of 2460	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	images.exe
PID 2876 wrote to memory of 2460	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	images.exe
PID 2876 wrote to memory of 2460	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	images.exe
PID 2876 wrote to memory of 2460	2876	87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe	images.exe
PID 2460 wrote to memory of 1500	2460	images.exe	powershell.exe
PID 2460 wrote to memory of 1500	2460	images.exe	powershell.exe
PID 2460 wrote to memory of 1500	2460	images.exe	powershell.exe
PID 2460 wrote to memory of 1500	2460	images.exe	powershell.exe
PID 2460 wrote to memory of 1196	2460	images.exe	cmd.exe
PID 2460 wrote to memory of 1196	2460	images.exe	cmd.exe
PID 2460 wrote to memory of 1196	2460	images.exe	cmd.exe
PID 2460 wrote to memory of 1196	2460	images.exe	cmd.exe
PID 2460 wrote to memory of 1196	2460	images.exe	cmd.exe
PID 2460 wrote to memory of 1196	2460	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AQUS0T0XRP5NHLWW80NG.temp
Filesize
7KB

MD5
4d2cf76e9d306620b7d1f7915a1d04ee

SHA1
b4f8c96b366b6068927ce19535b26e530035d5fa

SHA256
666f14ad635dce794d7ec4d53d1c37007759ec0cc8cff4c80a0ef891e597399a

SHA512
5c811d0592366c8e1e71ecb793a557bf6d799763414a922804dc518a795971465623469f1f24454a0c81f6a24731b47530b884e31cb263ac2a30fe55fe7ffc72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2c0632aa60b6798af4e3f2e0b5cabaed

SHA1
175f24a2259a5a98479e799d3edb078cbb6365cb

SHA256
2f2bd4e5df3f6a39f656f0dad17c88cbfab2cd161e46da704b515ca7551cf19c

SHA512
25818671e0234fa856c7c1df2b01ff37062b9b0e56e08bd1f9227b69098eea3e4c8b7e5f6a98858b12ee5ea7bf26aaeffa39b882ac970bd982b2d061b5379a71

Download Submit
\ProgramData\images.exe
Filesize
1.7MB

MD5
87d5c387c363d12da2820e403d03c8b3

SHA1
5c37c95ddf2bdbf470f98088e061047f6acc506f

SHA256
aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746

SHA512
2e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a

Download Submit
memory/1196-36-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1196-38-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2460-23-0x00000000020C0000-0x0000000002214000-memory.dmp

Filesize
1.3MB

Download
memory/2876-0-0x00000000009C0000-0x0000000000B14000-memory.dmp

Filesize
1.3MB

Download
memory/2876-7-0x0000000002580000-0x0000000003180000-memory.dmp

Filesize
12.0MB

Download
memory/2876-19-0x00000000009C0000-0x0000000000B14000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads