warzonerat | cb43ea6d66480a93de51849fb4e0a3287f7ce6f7dcb9594eb8a492b5d8365286

General

Target

JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
Size

1008KB
MD5

76f0a231b34a3dd9e2b62c6864f03f8d
SHA1

afd49af43fd2660174cda0fe3c27ba55529bae97
SHA256

cb43ea6d66480a93de51849fb4e0a3287f7ce6f7dcb9594eb8a492b5d8365286
SHA512

b7a15ba8ab4b4765d2045a3da8682e4115c9296863ce722a44cbd3c6d2308fdb858169a0dd0ba53a1acb7567226d12e87629c5e306a4e1caa162c988f935b601
SSDEEP

24576:rAOcZEhSwqGGP+CDOOdfHxWfBtkbg4cncmOQEN5v5:tswqGGP+GOQfHYfBX4Dt7Z

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.66:179

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2840-87-0x0000000000390000-0x0000000000A92000-memory.dmp	warzonerat
behavioral1/memory/2840-89-0x0000000000390000-0x0000000000A92000-memory.dmp	warzonerat

Executes dropped EXE 3 IoCs

pid	Process
1220	bikcxl.pif
2840	RegSvcs.exe
2600	RegSvcs.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
1220	bikcxl.pif
2932	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\67346578\\bikcxl.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\67346578\\ALMITQ~1.OFR"	bikcxl.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 2840	1220	bikcxl.pif	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bikcxl.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1220	2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe	30
PID 2292 wrote to memory of 1220	2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe	30
PID 2292 wrote to memory of 1220	2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe	30
PID 2292 wrote to memory of 1220	2292	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe	30
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 1220 wrote to memory of 2840	1220	bikcxl.pif	32
PID 2840 wrote to memory of 2932	2840	RegSvcs.exe	33
PID 2840 wrote to memory of 2932	2840	RegSvcs.exe	33
PID 2840 wrote to memory of 2932	2840	RegSvcs.exe	33
PID 2840 wrote to memory of 2932	2840	RegSvcs.exe	33
PID 2840 wrote to memory of 2932	2840	RegSvcs.exe	33
PID 2840 wrote to memory of 2932	2840	RegSvcs.exe	33
PID 2932 wrote to memory of 2600	2932	cmd.exe	35
PID 2932 wrote to memory of 2600	2932	cmd.exe	35
PID 2932 wrote to memory of 2600	2932	cmd.exe	35
PID 2932 wrote to memory of 2600	2932	cmd.exe	35
PID 2932 wrote to memory of 2600	2932	cmd.exe	35
PID 2932 wrote to memory of 2600	2932	cmd.exe	35
PID 2932 wrote to memory of 2600	2932	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\67346578\bikcxl.pif
  "C:\Users\Admin\AppData\Local\Temp\67346578\bikcxl.pif" almitqwmvj.ofr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67346578\rtpjdn.rbs

Filesize
226KB

MD5
e0d5c19659e13d38d2678d13c6fab26f

SHA1
de6bad309a4ed06c44b372348415a979ad2f19fd

SHA256
fd97388fdf025dfded053e056a6e791ecffcbba303917c632bfdd9609a1cd457

SHA512
99df654a8b8f124434ba25d58f392623712b6c8538f36cffa3e3a4c9273117dd977352a9f9a53d78cc9817651d30d592dd5cd308385505b8c94b1a14f1648513

Download Submit
C:\Users\Admin\AppData\Local\Temp\67346578\xqjkb.ppt

Filesize
62KB

MD5
0a263b4d3d4a222abfd906f9ab63d96a

SHA1
3686211379af62b9091adcc9bdfc7793cc781f77

SHA256
4c7d4a3a6ea58ac811c58dbe06565f7c08059424dd841efd4e0755f4a8c14185

SHA512
360248c9f76a639cbd391fd026450e0cbbf1541780e8cfe462c8d0646d67dd5ddb6f03dbdf39be651db32d40ce1447271f7d412d11b2c46f3340107838834b83

Download Submit
\Users\Admin\AppData\Local\Temp\67346578\bikcxl.pif

Filesize
758KB

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/2600-99-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2600-100-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2840-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-84-0x0000000000390000-0x0000000000A92000-memory.dmp

Filesize
7.0MB

Download
memory/2840-87-0x0000000000390000-0x0000000000A92000-memory.dmp

Filesize
7.0MB

Download
memory/2840-89-0x0000000000390000-0x0000000000A92000-memory.dmp

Filesize
7.0MB

Download
memory/2932-91-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2932-93-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads