General

  • Target

    0f9418927b090b93b947f4e3e0488d66_JaffaCakes118

  • Size

    1.8MB

  • Sample

    240728-js811azcmb

  • MD5

    0f9418927b090b93b947f4e3e0488d66

  • SHA1

    669326b0c4e9d66efbcaec0d1d4973190481ce08

  • SHA256

    50b75b8fe6e0797abbf5d4aa9934df1584915ae238724d2e0dd128580b70cd28

  • SHA512

    89c6b8208a860d1caba3735a98ec01ad2c08896c5e730bd7d7c21b387b8e779baf32e6f6e12bf37d25b5647ab4d6caa25d16ee9740f436afc41f66612e8dbafb

  • SSDEEP

    12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDg2:r1gg4CppEI6GGfWDkCQDbGV6eH81kD

Malware Config

Targets

    • Target

      0f9418927b090b93b947f4e3e0488d66_JaffaCakes118

    • Size

      1.8MB

    • MD5

      0f9418927b090b93b947f4e3e0488d66

    • SHA1

      669326b0c4e9d66efbcaec0d1d4973190481ce08

    • SHA256

      50b75b8fe6e0797abbf5d4aa9934df1584915ae238724d2e0dd128580b70cd28

    • SHA512

      89c6b8208a860d1caba3735a98ec01ad2c08896c5e730bd7d7c21b387b8e779baf32e6f6e12bf37d25b5647ab4d6caa25d16ee9740f436afc41f66612e8dbafb

    • SSDEEP

      12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDg2:r1gg4CppEI6GGfWDkCQDbGV6eH81kD

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks