General

  • Target

    09d2701774bb74673e35dcfe7661231e_JaffaCakes118

  • Size

    686KB

  • Sample

    240728-fh9yrssdrh

  • MD5

    09d2701774bb74673e35dcfe7661231e

  • SHA1

    f8598752168cfc6b34fa8c7d306825e3d185b6de

  • SHA256

    00c81ee60f577f38edc27e5c1532d4996e55a86f322e248e4e9f80f159c449b8

  • SHA512

    9546ee991d252cf0a19508a0049d63ff187ae81a0c7a327996ecfb4879560e98e418e64acf75265621623b3b660f85ffb13490fccb475e38c5edb1daa5649977

  • SSDEEP

    12288:i1eRRAfxCIUnyNOI/SN/HWQZUp7rpiEpIiQHkRT5:EiRO8nyNOI0u7G+INw

Malware Config

Extracted

Family

warzonerat

C2

bestsuccess.ddns.net:2442

Targets

    • Target

      09d2701774bb74673e35dcfe7661231e_JaffaCakes118

    • Size

      686KB

    • MD5

      09d2701774bb74673e35dcfe7661231e

    • SHA1

      f8598752168cfc6b34fa8c7d306825e3d185b6de

    • SHA256

      00c81ee60f577f38edc27e5c1532d4996e55a86f322e248e4e9f80f159c449b8

    • SHA512

      9546ee991d252cf0a19508a0049d63ff187ae81a0c7a327996ecfb4879560e98e418e64acf75265621623b3b660f85ffb13490fccb475e38c5edb1daa5649977

    • SSDEEP

      12288:i1eRRAfxCIUnyNOI/SN/HWQZUp7rpiEpIiQHkRT5:EiRO8nyNOI0u7G+INw

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks