warmcookie | c4e9ccca525c21d719b3ee8547e84934942d1d18cd96374eb61c2e99cdd7f103 | Triage

Sharing

General

Target

08112024_0342_Updater.zip
Size

64KB
Sample

241108-d9k3lsvdmn
MD5

e9a3d1601821ba17587b12f1fad693b2
SHA1

9f83e29974fdac8c0eb37dc10155502ac1c8a4db
SHA256

c4e9ccca525c21d719b3ee8547e84934942d1d18cd96374eb61c2e99cdd7f103
SHA512

bb22f6d7b888cdc19a6204b9205863850bbf6b67715528a6aafe62876009da6b181e267fbc604c9a289774f9049a93ede91bb6825320f43349f3985ed3060dba
SSDEEP

1536:fT4pMmJHW9tElNSnU2vl7Ws7RtUkr04b4jYI:MSC28lNP2d7WgRNb+YI

Score

10^/10

warmcookie backdoor discovery

Malware Config

Extracted

Family

warmcookie

Attributes

mutex
65abfc80-a660-4691-a919-130dc9b75b98

Targets

- Target
  
  Updater.dll
- Size
  
  129KB
- MD5
  
  e08edc1510052adc297d6af47022a70b
- SHA1
  
  f08af6d4a2f9655beb8219aca5711400efed8670
- SHA256
  
  915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2
- SHA512
  
  2b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652
- SSDEEP
  
  3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV
Score

10^/10

warmcookie backdoor discovery
- Warmcookie family
  warmcookie
- Warmcookie, Badspace
  Warmcookie aka Badspace is a backdoor written in C++.
  backdoor warmcookie
- Blocklisted process makes network request
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  launcher.bat
- Size
  
  61B
- MD5
  
  71fc33d2c87facdfbb2499300fc2bedd
- SHA1
  
  40ab3ac01282ce3c4df44afc5e73c6d7a7502430
- SHA256
  
  2f36e33a436d6f565230ba1dafc9dea801599d47a9ff3fbb940a200f43d8b3ae
- SHA512
  
  588b393c79c7ca748f4b4cc8fbffd7d221956bfcf9e8c4b73a0fd6d84527ecad050c5a9312fb608fc1cf276fb0149777a8d551b64af0869680beb17ff0670f2d
Score

10^/10

warmcookie backdoor discovery
- Warmcookie family
  warmcookie
- Warmcookie, Badspace
  Warmcookie aka Badspace is a backdoor written in C++.
  backdoor warmcookie
- Blocklisted process makes network request
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

backdoorwarmcookie

behavioral1

warmcookiebackdoordiscovery

behavioral2

warmcookiebackdoor

behavioral3

warmcookiebackdoordiscovery

behavioral4

warmcookiebackdoor