General

  • Target

    0e71f1094fb65e4f6a67fcd68adba0ac_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240728-h76czsvdqp

  • MD5

    0e71f1094fb65e4f6a67fcd68adba0ac

  • SHA1

    af7d567889e6a64b81bb59ef4fe1be283bf675b1

  • SHA256

    cb7f6c43403faa8093d062633ff2055009578cf760a9f12529812fb3298fac4a

  • SHA512

    711a7f8af6a13e125b3bc02f28c6f3f67c4f195417f16e43bdb7767e31fa1ffd6d8879f57b80d73a3d1833ad5d5b4a35c2f07c68ce4a848b13e577f3e7c87537

  • SSDEEP

    24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHv:ATU7AAmw4gxeOw46fUbNecCCFbNecC

Malware Config

Targets

    • Target

      0e71f1094fb65e4f6a67fcd68adba0ac_JaffaCakes118

    • Size

      2.9MB

    • MD5

      0e71f1094fb65e4f6a67fcd68adba0ac

    • SHA1

      af7d567889e6a64b81bb59ef4fe1be283bf675b1

    • SHA256

      cb7f6c43403faa8093d062633ff2055009578cf760a9f12529812fb3298fac4a

    • SHA512

      711a7f8af6a13e125b3bc02f28c6f3f67c4f195417f16e43bdb7767e31fa1ffd6d8879f57b80d73a3d1833ad5d5b4a35c2f07c68ce4a848b13e577f3e7c87537

    • SSDEEP

      24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHv:ATU7AAmw4gxeOw46fUbNecCCFbNecC

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks