Extracted

• • Target

    JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d

  • Size

    1008KB

  • MD5

    76f0a231b34a3dd9e2b62c6864f03f8d

  • SHA1

    afd49af43fd2660174cda0fe3c27ba55529bae97

  • SHA256

    cb43ea6d66480a93de51849fb4e0a3287f7ce6f7dcb9594eb8a492b5d8365286

  • SHA512

    b7a15ba8ab4b4765d2045a3da8682e4115c9296863ce722a44cbd3c6d2308fdb858169a0dd0ba53a1acb7567226d12e87629c5e306a4e1caa162c988f935b601

  • SSDEEP

    24576:rAOcZEhSwqGGP+CDOOdfHxWfBtkbg4cncmOQEN5v5:tswqGGP+GOQfHYfBX4Dt7Z

  Score

  10^/10

  warzoneratdiscoveryinfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • Warzone RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2