Overview

overview

10

Static

static

3

8d1a4a0e2b...18.exe

windows7-x64

10

8d1a4a0e2b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8d1a4a0e2b3826798a728707527baeba_JaffaCakes118

  • Size

    336KB

  • Sample

    240602-gp8jysdb7v

  • MD5

    8d1a4a0e2b3826798a728707527baeba

  • SHA1

    2409203f258633d47325042cc2aae439725d4d62

  • SHA256

    b77860073b44ee02d8f4fffd3883683bb5e336e35fa0226531735e5de82e68e2

  • SHA512

    416d5e41824df31f862013d5a99dcaeba773b37e6571fcb484c48e0f1756f17966ce51382e5f10dd453e1e46c8b8a806a78c84855237aa2a06a4f7e88128ad50

  • SSDEEP

    6144:E+Ju2JS+1+EYJEMs2ujJtfTGGgToub7iRr//RuHuG/:E+JDJS+E9JEMs5J9T7g0uXihXtG/

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

185.29.9.58:1023

Targets

    • Target

      8d1a4a0e2b3826798a728707527baeba_JaffaCakes118

    • Size

      336KB

    • MD5

      8d1a4a0e2b3826798a728707527baeba

    • SHA1

      2409203f258633d47325042cc2aae439725d4d62

    • SHA256

      b77860073b44ee02d8f4fffd3883683bb5e336e35fa0226531735e5de82e68e2

    • SHA512

      416d5e41824df31f862013d5a99dcaeba773b37e6571fcb484c48e0f1756f17966ce51382e5f10dd453e1e46c8b8a806a78c84855237aa2a06a4f7e88128ad50

    • SSDEEP

      6144:E+Ju2JS+1+EYJEMs2ujJtfTGGgToub7iRr//RuHuG/:E+JDJS+E9JEMs5J9T7g0uXihXtG/

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks