General

  • Target

    0de144d4c816040028ac945ff3b82e03_JaffaCakes118

  • Size

    6.1MB

  • Sample

    240728-hw34gsthkj

  • MD5

    0de144d4c816040028ac945ff3b82e03

  • SHA1

    4b729ecd18cd6545280c516f639e9e8d1594031d

  • SHA256

    66f1b2e4d832f68049fe1c4c0c010dbc6e21339055fd21d41859d1af5cba6a55

  • SHA512

    494050c968250efb6b416f9d6f3da516b77319ed044eeb8533b5ac23a80b89872efbd49ea3a182f6b61a8214b8c568fcedf82d8d309537321a2a84447e9bd893

  • SSDEEP

    49152:ATU7AAmw4gxeOw46fUbNecCCFbNecuTU7AAmw4gxeOw46fUbNecCCFbNecB:ATU7d9xZw46G8q8HTU7d9xZw46G8q8C

Malware Config

Targets

    • Target

      0de144d4c816040028ac945ff3b82e03_JaffaCakes118

    • Size

      6.1MB

    • MD5

      0de144d4c816040028ac945ff3b82e03

    • SHA1

      4b729ecd18cd6545280c516f639e9e8d1594031d

    • SHA256

      66f1b2e4d832f68049fe1c4c0c010dbc6e21339055fd21d41859d1af5cba6a55

    • SHA512

      494050c968250efb6b416f9d6f3da516b77319ed044eeb8533b5ac23a80b89872efbd49ea3a182f6b61a8214b8c568fcedf82d8d309537321a2a84447e9bd893

    • SSDEEP

      49152:ATU7AAmw4gxeOw46fUbNecCCFbNecuTU7AAmw4gxeOw46fUbNecCCFbNecB:ATU7d9xZw46G8q8HTU7d9xZw46G8q8C

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks