General

  • Target

    0600e34e82912e23c06c1ae806aedde8_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240728-czhn3awfme

  • MD5

    0600e34e82912e23c06c1ae806aedde8

  • SHA1

    2807384ce3b52cc5dba59ded705d4573dbec9224

  • SHA256

    98607e508050ddad3c4fbc6c18dc31a02e8b842cec87fd65477a8ce79b864765

  • SHA512

    b09288debca7f4e86aac7b4575f672fbc660ec2ee8536729bec86939694b876f06234edbc5e64ba440822dc0e7710707b73ee557cedbe4cb50757a70e4de0ba1

  • SSDEEP

    24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH5:3Ty7A3mw4gxeOw46fUbNecCCFbNec6

Malware Config

Targets

    • Target

      0600e34e82912e23c06c1ae806aedde8_JaffaCakes118

    • Size

      2.9MB

    • MD5

      0600e34e82912e23c06c1ae806aedde8

    • SHA1

      2807384ce3b52cc5dba59ded705d4573dbec9224

    • SHA256

      98607e508050ddad3c4fbc6c18dc31a02e8b842cec87fd65477a8ce79b864765

    • SHA512

      b09288debca7f4e86aac7b4575f672fbc660ec2ee8536729bec86939694b876f06234edbc5e64ba440822dc0e7710707b73ee557cedbe4cb50757a70e4de0ba1

    • SSDEEP

      24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH5:3Ty7A3mw4gxeOw46fUbNecCCFbNec6

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks