General
-
Target
ba089fe4546d19803adad582ca6f2ec5_JaffaCakes118
-
Size
415KB
-
Sample
240823-c4bfjs1dpd
-
MD5
ba089fe4546d19803adad582ca6f2ec5
-
SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f
-
SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
-
SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
SSDEEP
6144:tJL/iqv7nh6Q+3HwOcc0WNm/Q6/hpMEceEOfxY5J+MlqGwwQ1vz+SaD:Brocc0W2QimeEOfxY58MlDmK
Malware Config
Extracted
warzonerat
176.126.86.243:2021
Targets
-
-
Target
ba089fe4546d19803adad582ca6f2ec5_JaffaCakes118
-
Size
415KB
-
MD5
ba089fe4546d19803adad582ca6f2ec5
-
SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f
-
SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
-
SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
SSDEEP
6144:tJL/iqv7nh6Q+3HwOcc0WNm/Q6/hpMEceEOfxY5J+MlqGwwQ1vz+SaD:Brocc0W2QimeEOfxY58MlDmK
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1