General
-
Target
11cf2810dd5c7cfba32d757140abd921_JaffaCakes118
-
Size
1.2MB
-
Sample
240728-k3ka3aydpq
-
MD5
11cf2810dd5c7cfba32d757140abd921
-
SHA1
9e5ec5e35c37c1384ba33f823494f8816a4256b9
-
SHA256
ffde774a1d7b96f6db9ee7f0f734cd2d0c6ad97e15a1ce5094be51158ad8fecd
-
SHA512
9459174f978163011ead4b75e8fdfe177ed90de05c0c753e52e39447f1ae0017107ca452234a808081681359256846f5b2baff3ca9b58d5b9e9142f9e050e2aa
-
SSDEEP
12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11k/:OIbGD2JTu0GoZQDbGV6eH81k/
Behavioral task
behavioral1
Sample
11cf2810dd5c7cfba32d757140abd921_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
11cf2810dd5c7cfba32d757140abd921_JaffaCakes118.exe
Resource
win10v2004-20240730-en
Malware Config
Targets
-
-
Target
11cf2810dd5c7cfba32d757140abd921_JaffaCakes118
-
Size
1.2MB
-
MD5
11cf2810dd5c7cfba32d757140abd921
-
SHA1
9e5ec5e35c37c1384ba33f823494f8816a4256b9
-
SHA256
ffde774a1d7b96f6db9ee7f0f734cd2d0c6ad97e15a1ce5094be51158ad8fecd
-
SHA512
9459174f978163011ead4b75e8fdfe177ed90de05c0c753e52e39447f1ae0017107ca452234a808081681359256846f5b2baff3ca9b58d5b9e9142f9e050e2aa
-
SSDEEP
12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11k/:OIbGD2JTu0GoZQDbGV6eH81k/
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4