Overview

overview

10

Static

static

3

474da62649...18.exe

windows7-x64

10

474da62649...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2024 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    474da6264953fb83a0c7ebf5ef12d724_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    474da6264953fb83a0c7ebf5ef12d724

  • SHA1

    cf9a46bb6daae05eeec53116f53fc44bdf5d810d

  • SHA256

    a9321317116649103debb8a03f5b36ee8b015fa48fc7da5c2b5eb5192dac8233

  • SHA512

    4f4567699a93859f0b0ab36321e97c5dc05cd764f069430d65121d11287dd630433871f579c30524db03a63b791bd2431d3de0540c9f7dc6a4d17645b096fb87

  • SSDEEP

    12288:QD4a0FisqocEgMHv4FiiEuu5VfCgWLdd7FPza6qfKwZMsudkM0D4pa7+os:hrd/WLdd7FPzkfKugdkML

Score
10/10
warzoneratdiscoveryexecutioninfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

193.142.59.216:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\474da6264953fb83a0c7ebf5ef12d724_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\474da6264953fb83a0c7ebf5ef12d724_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\ProgramData\imagewgjktr3s.exe
      "C:\ProgramData\imagewgjktr3s.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    779d969e45d14a3c4edf355df1c592f5

    SHA1

    bfecc252115cc05cf6514a2541efbd00a5aeef93

    SHA256

    0b0b2b1b2709068e2757442cd2ec273b2bf8e18aa050af16db7184f38136038f

    SHA512

    d64381c1bd5437818efbd21150d09d1fa8b62a6f26dac70b65a66985eb8783cc5ecf100739cc27811755521e75bc60a835c8e5bd22cdb5b1532d594257793bf5

    Download Submit

  • \ProgramData\imagewgjktr3s.exe
    Filesize

    2.6MB

    MD5

    474da6264953fb83a0c7ebf5ef12d724

    SHA1

    cf9a46bb6daae05eeec53116f53fc44bdf5d810d

    SHA256

    a9321317116649103debb8a03f5b36ee8b015fa48fc7da5c2b5eb5192dac8233

    SHA512

    4f4567699a93859f0b0ab36321e97c5dc05cd764f069430d65121d11287dd630433871f579c30524db03a63b791bd2431d3de0540c9f7dc6a4d17645b096fb87

    Download Submit

  • memory/1048-0-0x000000007741F000-0x0000000077420000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1048-1-0x00000000773B0000-0x00000000774B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1048-2-0x00000000008B0000-0x0000000000A04000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1048-20-0x00000000773B0000-0x00000000774B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1048-19-0x00000000008B0000-0x0000000000A04000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2552-24-0x00000000003C0000-0x0000000000514000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2800-37-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-39-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download