General

  • Target

    08cf0b443a6055b1482f62144d66a204_JaffaCakes118

  • Size

    2.7MB

  • Sample

    240728-ew52as1cqf

  • MD5

    08cf0b443a6055b1482f62144d66a204

  • SHA1

    8d57b231c490e4e3e4e0e371467dc6ce844a8fb9

  • SHA256

    382f4830e1171dba2e9a6967f63238c7641e4247e72497e836a79d66df05ac43

  • SHA512

    4c26031dbd065f9e7f6f8470ea4be6a3f564e1f6117c564dbee65b585dadffba3a76391bbcceaef209d46ee7019c493ecfbff100cf9f6fed4859471cb85d4fe3

  • SSDEEP

    24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81c:fF6mw4gxeOw46fUbNecCCFbNecq

Malware Config

Targets

    • Target

      08cf0b443a6055b1482f62144d66a204_JaffaCakes118

    • Size

      2.7MB

    • MD5

      08cf0b443a6055b1482f62144d66a204

    • SHA1

      8d57b231c490e4e3e4e0e371467dc6ce844a8fb9

    • SHA256

      382f4830e1171dba2e9a6967f63238c7641e4247e72497e836a79d66df05ac43

    • SHA512

      4c26031dbd065f9e7f6f8470ea4be6a3f564e1f6117c564dbee65b585dadffba3a76391bbcceaef209d46ee7019c493ecfbff100cf9f6fed4859471cb85d4fe3

    • SSDEEP

      24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81c:fF6mw4gxeOw46fUbNecCCFbNecq

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks