Extracted

• • Target

    d5b0e55b8f079ecb68617895537b90a5_JaffaCakes118

  • Size

    608KB

  • MD5

    d5b0e55b8f079ecb68617895537b90a5

  • SHA1

    ee8ee337bbf0c316d937ab39c474fb44a9c2284f

  • SHA256

    df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae

  • SHA512

    c114ff9693dd1501cfe97b46c8a74d628fcfee94c22e5fd16ed4c8733c69d9defbe1ccc07a63ce0de5a3315745328735109c4452ab1535fdf4af48ab64810649

  • SSDEEP

    12288:m4MonJCQ0qK69NpmP/zwhh93B4+N4nMMAtbcMIBMXSblAJF:m4dnk09NwMhz3H4MMKMqJF

  Score

  10^/10

  warzoneratdiscoveryinfostealerratexecutionpersistence

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2