General
-
Target
8cbf6174fb3a4b3e90b5990b56035865_JaffaCakes118
-
Size
436KB
-
Sample
240812-bpmplaycpk
-
MD5
8cbf6174fb3a4b3e90b5990b56035865
-
SHA1
83ccf675ae3638bbd064ee6701389e93c9a9100c
-
SHA256
16ddda7e3bc7f3b487325b51715c01ab3cca61e582dd7e147e5ad46da9b9b1ad
-
SHA512
5e112e2020d58b800b13909c2a788c4d7f4ed639e535cdfd23c5e5b53cfbc68b163ef286b08c6737da7341fcc31bc07171bdf97e9ed3bad50c4fdc8138b98573
-
SSDEEP
12288:gSeESodjQX25MzfcLcYMM6+HzlqwIyxzQkzDwL:sESUIpc3LxIeQkzDK
Malware Config
Extracted
warzonerat
n.nerdpol.ovh:30132
Targets
-
-
Target
8cbf6174fb3a4b3e90b5990b56035865_JaffaCakes118
-
Size
436KB
-
MD5
8cbf6174fb3a4b3e90b5990b56035865
-
SHA1
83ccf675ae3638bbd064ee6701389e93c9a9100c
-
SHA256
16ddda7e3bc7f3b487325b51715c01ab3cca61e582dd7e147e5ad46da9b9b1ad
-
SHA512
5e112e2020d58b800b13909c2a788c4d7f4ed639e535cdfd23c5e5b53cfbc68b163ef286b08c6737da7341fcc31bc07171bdf97e9ed3bad50c4fdc8138b98573
-
SSDEEP
12288:gSeESodjQX25MzfcLcYMM6+HzlqwIyxzQkzDwL:sESUIpc3LxIeQkzDK
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-