General
-
Target
adfdd48b3b0748bd44870fc6f8cedee4_JaffaCakes118
-
Size
626KB
-
Sample
240615-mhdnws1bjn
-
MD5
adfdd48b3b0748bd44870fc6f8cedee4
-
SHA1
45d1a46ce93e853f63008d0315e71153fa210aa9
-
SHA256
74b7f3c7a973317481bac9efb82cb7de5269fac1db08f701f2ec68f9dff92f47
-
SHA512
178fa715b0b5c921b8c2eca3ab7293d6b335651e9611171204537c71ba388db4db167aefa51bbd7921a251e78fead13d7b78a49c215d2c6b76dfa7fe707b1aa7
-
SSDEEP
12288:4ioiQoFCeOSdnlHrT+uZA1hDWJdjbM7ffN5nIzZETVi0dyfklC5:4nidFKA+RuJdHaNOqfdyff
Malware Config
Extracted
warzonerat
jackspro.warzonedns.com:2018
Targets
-
-
Target
adfdd48b3b0748bd44870fc6f8cedee4_JaffaCakes118
-
Size
626KB
-
MD5
adfdd48b3b0748bd44870fc6f8cedee4
-
SHA1
45d1a46ce93e853f63008d0315e71153fa210aa9
-
SHA256
74b7f3c7a973317481bac9efb82cb7de5269fac1db08f701f2ec68f9dff92f47
-
SHA512
178fa715b0b5c921b8c2eca3ab7293d6b335651e9611171204537c71ba388db4db167aefa51bbd7921a251e78fead13d7b78a49c215d2c6b76dfa7fe707b1aa7
-
SSDEEP
12288:4ioiQoFCeOSdnlHrT+uZA1hDWJdjbM7ffN5nIzZETVi0dyfklC5:4nidFKA+RuJdHaNOqfdyff
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-