General

  • Target

    0d5db90ff264287c86d93f6feaafc25e_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240728-hl24fatcrr

  • MD5

    0d5db90ff264287c86d93f6feaafc25e

  • SHA1

    b929a66d142d37e017ea90f952b4244d136f1201

  • SHA256

    1ef2835924c84f6daac034c333a66128863eff9ae981b5b86b85e364c5686a2d

  • SHA512

    570d60e33ffdd613310976032ae9b0c4d4bd3f7694e132350522fc40e4d08a337dc665bd567bff2c7a88ed7fa7fc076915418f6bb854b130c5c91d3c678433b1

  • SSDEEP

    24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHO:3Ty7A3mw4gxeOw46fUbNecCCFbNecl

Malware Config

Targets

    • Target

      0d5db90ff264287c86d93f6feaafc25e_JaffaCakes118

    • Size

      2.9MB

    • MD5

      0d5db90ff264287c86d93f6feaafc25e

    • SHA1

      b929a66d142d37e017ea90f952b4244d136f1201

    • SHA256

      1ef2835924c84f6daac034c333a66128863eff9ae981b5b86b85e364c5686a2d

    • SHA512

      570d60e33ffdd613310976032ae9b0c4d4bd3f7694e132350522fc40e4d08a337dc665bd567bff2c7a88ed7fa7fc076915418f6bb854b130c5c91d3c678433b1

    • SSDEEP

      24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHO:3Ty7A3mw4gxeOw46fUbNecCCFbNecl

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks