Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe
-
Size
336KB
-
MD5
8d1a4a0e2b3826798a728707527baeba
-
SHA1
2409203f258633d47325042cc2aae439725d4d62
-
SHA256
b77860073b44ee02d8f4fffd3883683bb5e336e35fa0226531735e5de82e68e2
-
SHA512
416d5e41824df31f862013d5a99dcaeba773b37e6571fcb484c48e0f1756f17966ce51382e5f10dd453e1e46c8b8a806a78c84855237aa2a06a4f7e88128ad50
-
SSDEEP
6144:E+Ju2JS+1+EYJEMs2ujJtfTGGgToub7iRr//RuHuG/:E+JDJS+E9JEMs5J9T7g0uXihXtG/
Malware Config
Extracted
warzonerat
185.29.9.58:1023
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2260-1-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/2260-5-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4492-10-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4492-13-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 1612 images.exe -
Loads dropped DLL 2 IoCs
Processes:
images.exeimages.exepid process 1612 images.exe 4492 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exeimages.exedescription pid process target process PID 4468 set thread context of 2260 4468 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe PID 1612 set thread context of 4492 1612 images.exe images.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exeimages.exepid process 4468 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe 1612 images.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exeimages.exeimages.exedescription pid process target process PID 4468 wrote to memory of 2260 4468 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe PID 4468 wrote to memory of 2260 4468 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe PID 4468 wrote to memory of 2260 4468 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe PID 4468 wrote to memory of 2260 4468 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe PID 2260 wrote to memory of 1612 2260 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe images.exe PID 2260 wrote to memory of 1612 2260 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe images.exe PID 2260 wrote to memory of 1612 2260 8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe images.exe PID 1612 wrote to memory of 4492 1612 images.exe images.exe PID 1612 wrote to memory of 4492 1612 images.exe images.exe PID 1612 wrote to memory of 4492 1612 images.exe images.exe PID 1612 wrote to memory of 4492 1612 images.exe images.exe PID 4492 wrote to memory of 3872 4492 images.exe cmd.exe PID 4492 wrote to memory of 3872 4492 images.exe cmd.exe PID 4492 wrote to memory of 3872 4492 images.exe cmd.exe PID 4492 wrote to memory of 3872 4492 images.exe cmd.exe PID 4492 wrote to memory of 3872 4492 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d1a4a0e2b3826798a728707527baeba_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
336KB
MD58d1a4a0e2b3826798a728707527baeba
SHA12409203f258633d47325042cc2aae439725d4d62
SHA256b77860073b44ee02d8f4fffd3883683bb5e336e35fa0226531735e5de82e68e2
SHA512416d5e41824df31f862013d5a99dcaeba773b37e6571fcb484c48e0f1756f17966ce51382e5f10dd453e1e46c8b8a806a78c84855237aa2a06a4f7e88128ad50
-
memory/1612-7-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2260-1-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2260-5-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3872-11-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/4468-0-0x0000000000422000-0x000000000042B000-memory.dmpFilesize
36KB
-
memory/4492-10-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4492-13-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB