General

  • Target

    10631867f6eb6f9462248b4054252e2e_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240728-j99c4a1blf

  • MD5

    10631867f6eb6f9462248b4054252e2e

  • SHA1

    91d55769f93d19cb7918244e7fb4f6de7b58714b

  • SHA256

    6fbffb825ea80d563c783d36176fac1f00d1ea53a5cd262f893e7a443206b80a

  • SHA512

    bb70260c39d60f95249a4c5e95b757efc3adbaad43abbcecd0e0db5115a09316a4b94e2519d5c2762ac955d87149135aa7c4fe7c331d9394011f048d23dc2696

  • SSDEEP

    24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHb:3Ty7A3mw4gxeOw46fUbNecCCFbNecS

Malware Config

Targets

    • Target

      10631867f6eb6f9462248b4054252e2e_JaffaCakes118

    • Size

      2.9MB

    • MD5

      10631867f6eb6f9462248b4054252e2e

    • SHA1

      91d55769f93d19cb7918244e7fb4f6de7b58714b

    • SHA256

      6fbffb825ea80d563c783d36176fac1f00d1ea53a5cd262f893e7a443206b80a

    • SHA512

      bb70260c39d60f95249a4c5e95b757efc3adbaad43abbcecd0e0db5115a09316a4b94e2519d5c2762ac955d87149135aa7c4fe7c331d9394011f048d23dc2696

    • SSDEEP

      24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHb:3Ty7A3mw4gxeOw46fUbNecCCFbNecS

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks