warzonerat | f25660daa72c172425bc14dd48d5aaa52fd87b6babecc911e12b39b5e51954d0

General

Target

JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe
Size

1.3MB
MD5

340c89b2f53261125d86d2289fd65456
SHA1

4cf8364eeb744304775a3037da631c6b0cffa19a
SHA256

f25660daa72c172425bc14dd48d5aaa52fd87b6babecc911e12b39b5e51954d0
SHA512

165faf95ae82cccdbf3eb47def07953f17fbe11c85c2db2db12b87cc02d1b515d9f2d5c3c276c149206b7f5eef72058aaa2c95d70ac57a658790d0d350b13444
SSDEEP

6144:DuW80WhmQDzYm00RiTwSltgxCKYPMXq9NmiQBYGhpX8x4MWy1FYCz8hJ2n3C+8JD:DuWoJ4D4pa7+o4H

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

win64pooldrv.ddns.net:9010

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2164-2-0x0000000000970000-0x0000000000AC4000-memory.dmp	warzonerat
behavioral1/memory/2164-20-0x0000000000970000-0x0000000000AC4000-memory.dmp	warzonerat
behavioral1/memory/2832-27-0x0000000000830000-0x0000000000984000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
3004	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	images.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2656	powershell.exe
3004	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2656	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	31
PID 2164 wrote to memory of 2656	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	31
PID 2164 wrote to memory of 2656	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	31
PID 2164 wrote to memory of 2656	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	31
PID 2164 wrote to memory of 2832	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	33
PID 2164 wrote to memory of 2832	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	33
PID 2164 wrote to memory of 2832	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	33
PID 2164 wrote to memory of 2832	2164	JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe	33
PID 2832 wrote to memory of 3004	2832	images.exe	34
PID 2832 wrote to memory of 3004	2832	images.exe	34
PID 2832 wrote to memory of 3004	2832	images.exe	34
PID 2832 wrote to memory of 3004	2832	images.exe	34
PID 2832 wrote to memory of 1892	2832	images.exe	35
PID 2832 wrote to memory of 1892	2832	images.exe	35
PID 2832 wrote to memory of 1892	2832	images.exe	35
PID 2832 wrote to memory of 1892	2832	images.exe	35
PID 2832 wrote to memory of 1892	2832	images.exe	35
PID 2832 wrote to memory of 1892	2832	images.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_340c89b2f53261125d86d2289fd65456.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
95d6a1b1bf1faee48738e4fda31658c7

SHA1
e6cbb3c5a552c159df78cfbc2f988fd402c32d1c

SHA256
ff80bba39867058ae4d0558dd5b7c02d4192080cb76cefae0a421cdf16966e34

SHA512
7295ff58738908ee61f05b2d97e3ccbb4cd0a8f42e98933e5d8ad636d8bd5f60cee620432b846845c3b7a8913ecab36063861344ad74901ded54915238d34164

Download Submit
\ProgramData\images.exe

Filesize
1.3MB

MD5
340c89b2f53261125d86d2289fd65456

SHA1
4cf8364eeb744304775a3037da631c6b0cffa19a

SHA256
f25660daa72c172425bc14dd48d5aaa52fd87b6babecc911e12b39b5e51954d0

SHA512
165faf95ae82cccdbf3eb47def07953f17fbe11c85c2db2db12b87cc02d1b515d9f2d5c3c276c149206b7f5eef72058aaa2c95d70ac57a658790d0d350b13444

Download Submit
memory/1892-39-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1892-41-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2164-0-0x0000000076B2F000-0x0000000076B30000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x0000000076AC0000-0x0000000076BC0000-memory.dmp

Filesize
1024KB

Download
memory/2164-2-0x0000000000970000-0x0000000000AC4000-memory.dmp

Filesize
1.3MB

Download
memory/2164-20-0x0000000000970000-0x0000000000AC4000-memory.dmp

Filesize
1.3MB

Download
memory/2164-21-0x0000000076AC0000-0x0000000076BC0000-memory.dmp

Filesize
1024KB

Download
memory/2656-25-0x0000000076AC0000-0x0000000076BC0000-memory.dmp

Filesize
1024KB

Download
memory/2832-27-0x0000000000830000-0x0000000000984000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads