General

  • Target

    807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118

  • Size

    818KB

  • Sample

    241030-2ywlzasgrb

  • MD5

    807f0f985e9e4f3e8f0bcd4f55edfe33

  • SHA1

    cda44708c3c8efe8d980250e791ee8cde1f7afc7

  • SHA256

    18557447ecf0465479dbc151e8b1370550f10211373cd738e3a67e9112927bc8

  • SHA512

    2f44a8ee43d7df95a4252d0223246f05de2e2909b0d2315c0b91d6e5ba234f6de29fe281a1ada596eb1eccf600e9b95a69837a8296382441dc11463beb17fee2

  • SSDEEP

    12288:ErF379ZC7EbHCegVz9UPRdZ9fyWmqbA3:KhZDbfgVz9UPR9f9bA

Malware Config

Extracted

Family

warzonerat

C2

googleservers.org:5740

Targets

    • Target

      807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118

    • Size

      818KB

    • MD5

      807f0f985e9e4f3e8f0bcd4f55edfe33

    • SHA1

      cda44708c3c8efe8d980250e791ee8cde1f7afc7

    • SHA256

      18557447ecf0465479dbc151e8b1370550f10211373cd738e3a67e9112927bc8

    • SHA512

      2f44a8ee43d7df95a4252d0223246f05de2e2909b0d2315c0b91d6e5ba234f6de29fe281a1ada596eb1eccf600e9b95a69837a8296382441dc11463beb17fee2

    • SSDEEP

      12288:ErF379ZC7EbHCegVz9UPRdZ9fyWmqbA3:KhZDbfgVz9UPR9f9bA

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks