Overview

overview

10

Static

static

3

c46a2af1bd...18.exe

windows7-x64

10

c46a2af1bd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe

  • Size

    990KB

  • MD5

    c46a2af1bddbb0eca275e471a8b97bd3

  • SHA1

    03503ee5df73a99678c517dcaf658b5112d50185

  • SHA256

    160e446ae73cb863d4b03ae61fc19412c40ff3c54801fee7688717869c782dd1

  • SHA512

    5ba6854d8f6562a6bf4cf8632109a85f8d9246a48fdf571e7f0d472c98d09350bf37e327ba3fd296da88bdc5a7ab518bee0cffb9893b2fd5c566f63e9ea25e72

  • SSDEEP

    24576:qAOcZuXPw5FUAD5JQfBo8qzPq3XFQYcqa6lCKCz:QeF3QazPWX6Kta

Score
10/10
bazaloaderwarzoneratdiscoveryinfostealerpersistencerattrojan

Malware Config

Extracted

Family

warzonerat

C2

45.162.228.171:26112

Signatures

  • Bazaloader family
    bazaloader
  • Detects BazaLoader malware 3 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

    trojan
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3576
      • C:\Users\Admin\AppData\Local\Temp\c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Users\Admin\AppData\Roaming\91305724\qflwxm.pif
          "C:\Users\Admin\AppData\Roaming\91305724\qflwxm.pif" coxabch.pwt
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:116
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1252
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4540
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2560
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2528
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:412
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2364
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2280
          • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      Filesize

      44KB

      MD5

      9d352bc46709f0cb5ec974633a0c3c94

      SHA1

      1969771b2f022f9a86d77ac4d4d239becdf08d07

      SHA256

      2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

      SHA512

      13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\91305724\imrgkhud.exe
      Filesize

      368KB

      MD5

      969368babb963ede6100120d4ece245e

      SHA1

      c6d1e24dde9ccb60cba291f56efa4286f7f7d3f5

      SHA256

      d09763cf25ea0980904252e995bdf6db533b223558cf2bc889f40c37be49c3c8

      SHA512

      c437a80f3cc5702e35bdbf95536c6fecf1c17fba361f86b1f26340a15ce4d21aaad4d6093346fb8a342cd943540d1ee2ed075159667823640d016e9630ceef24

      Download Submit

    • C:\Users\Admin\AppData\Roaming\91305724\qflwxm.pif
      Filesize

      646KB

      MD5

      cdbb08d4234736c4a052dc3f181e66f2

      SHA1

      6801a805b6dcb760e8bf399a7d3ad0489fec7bfb

      SHA256

      07e5f6d7ec7ccbc3d742658e9161d799934c6f7f6a3ebf560f361b4ee1730b6a

      SHA512

      1ebd1a546e64d4b36d4f143ff7211d953f8db8e74c739db5e9c0939a6eb010a461fd1368f8a7813a8a2da804de6993010075ac21e4917d74d3f9394eaebafdfb

      Download Submit

    • memory/3576-55-0x0000000007470000-0x0000000007570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3576-63-0x0000000000B50000-0x0000000000B56000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3576-56-0x0000000007470000-0x0000000007570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3576-57-0x0000000000B50000-0x0000000000B56000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4320-50-0x0000000000500000-0x0000000000A28000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4320-52-0x0000000000500000-0x0000000000A28000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4320-54-0x0000000000500000-0x0000000000A28000-memory.dmp

      Filesize

      5.2MB

      Download