General

  • Target

    0ede8ab43d2846b1bf4eb94aee9480f9_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240728-jfa87svgrp

  • MD5

    0ede8ab43d2846b1bf4eb94aee9480f9

  • SHA1

    861148bd09b567fe772595fababa11a21760a771

  • SHA256

    14261c0f40fb9940247254a114bb4b69f91ea2d5251492d5d5c1c8f95b673ec2

  • SHA512

    3ca5632d408db25c4efa8d8a462c7293d0fc3ca065e83dfa5534e3c15cbda996b2ad677b0ca852f5c01ea1cab3a933ae2dc3b2ee49a116d4a7f7462b2885fa81

  • SSDEEP

    24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHA:3Ty7A3mw4gxeOw46fUbNecCCFbNecH

Malware Config

Targets

    • Target

      0ede8ab43d2846b1bf4eb94aee9480f9_JaffaCakes118

    • Size

      2.9MB

    • MD5

      0ede8ab43d2846b1bf4eb94aee9480f9

    • SHA1

      861148bd09b567fe772595fababa11a21760a771

    • SHA256

      14261c0f40fb9940247254a114bb4b69f91ea2d5251492d5d5c1c8f95b673ec2

    • SHA512

      3ca5632d408db25c4efa8d8a462c7293d0fc3ca065e83dfa5534e3c15cbda996b2ad677b0ca852f5c01ea1cab3a933ae2dc3b2ee49a116d4a7f7462b2885fa81

    • SSDEEP

      24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHA:3Ty7A3mw4gxeOw46fUbNecCCFbNecH

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks