warzonerat | cb43ea6d66480a93de51849fb4e0a3287f7ce6f7dcb9594eb8a492b5d8365286

General

Target

JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
Size

1008KB
MD5

76f0a231b34a3dd9e2b62c6864f03f8d
SHA1

afd49af43fd2660174cda0fe3c27ba55529bae97
SHA256

cb43ea6d66480a93de51849fb4e0a3287f7ce6f7dcb9594eb8a492b5d8365286
SHA512

b7a15ba8ab4b4765d2045a3da8682e4115c9296863ce722a44cbd3c6d2308fdb858169a0dd0ba53a1acb7567226d12e87629c5e306a4e1caa162c988f935b601
SSDEEP

24576:rAOcZEhSwqGGP+CDOOdfHxWfBtkbg4cncmOQEN5v5:tswqGGP+GOQfHYfBX4Dt7Z

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.66:179

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2968-75-0x0000000000D00000-0x0000000001402000-memory.dmp	warzonerat
behavioral2/memory/2968-76-0x0000000000D00000-0x0000000001402000-memory.dmp	warzonerat
behavioral2/memory/2968-77-0x0000000000D00000-0x0000000001402000-memory.dmp	warzonerat
behavioral2/memory/2968-81-0x0000000000D00000-0x0000000001402000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe

Executes dropped EXE 3 IoCs

pid	Process
3040	bikcxl.pif
2968	RegSvcs.exe
536	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\67346578\\bikcxl.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\67346578\\ALMITQ~1.OFR"	bikcxl.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2968	3040	bikcxl.pif	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bikcxl.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3040	4080	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe	82
PID 4080 wrote to memory of 3040	4080	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe	82
PID 4080 wrote to memory of 3040	4080	JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe	82
PID 3040 wrote to memory of 2968	3040	bikcxl.pif	91
PID 3040 wrote to memory of 2968	3040	bikcxl.pif	91
PID 3040 wrote to memory of 2968	3040	bikcxl.pif	91
PID 3040 wrote to memory of 2968	3040	bikcxl.pif	91
PID 3040 wrote to memory of 2968	3040	bikcxl.pif	91
PID 2968 wrote to memory of 2276	2968	RegSvcs.exe	92
PID 2968 wrote to memory of 2276	2968	RegSvcs.exe	92
PID 2968 wrote to memory of 2276	2968	RegSvcs.exe	92
PID 2968 wrote to memory of 2276	2968	RegSvcs.exe	92
PID 2968 wrote to memory of 2276	2968	RegSvcs.exe	92
PID 2276 wrote to memory of 536	2276	cmd.exe	96
PID 2276 wrote to memory of 536	2276	cmd.exe	96
PID 2276 wrote to memory of 536	2276	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76f0a231b34a3dd9e2b62c6864f03f8d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\67346578\bikcxl.pif
  "C:\Users\Admin\AppData\Local\Temp\67346578\bikcxl.pif" almitqwmvj.ofr
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67346578\bikcxl.pif

Filesize
758KB

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\Users\Admin\AppData\Local\Temp\67346578\rtpjdn.rbs

Filesize
226KB

MD5
e0d5c19659e13d38d2678d13c6fab26f

SHA1
de6bad309a4ed06c44b372348415a979ad2f19fd

SHA256
fd97388fdf025dfded053e056a6e791ecffcbba303917c632bfdd9609a1cd457

SHA512
99df654a8b8f124434ba25d58f392623712b6c8538f36cffa3e3a4c9273117dd977352a9f9a53d78cc9817651d30d592dd5cd308385505b8c94b1a14f1648513

Download Submit
C:\Users\Admin\AppData\Local\Temp\67346578\xqjkb.ppt

Filesize
62KB

MD5
0a263b4d3d4a222abfd906f9ab63d96a

SHA1
3686211379af62b9091adcc9bdfc7793cc781f77

SHA256
4c7d4a3a6ea58ac811c58dbe06565f7c08059424dd841efd4e0755f4a8c14185

SHA512
360248c9f76a639cbd391fd026450e0cbbf1541780e8cfe462c8d0646d67dd5ddb6f03dbdf39be651db32d40ce1447271f7d412d11b2c46f3340107838834b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/536-84-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/536-85-0x0000000004A50000-0x0000000004A8C000-memory.dmp

Filesize
240KB

Download
memory/536-86-0x0000000004A20000-0x0000000004A41000-memory.dmp

Filesize
132KB

Download
memory/2276-79-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2968-75-0x0000000000D00000-0x0000000001402000-memory.dmp

Filesize
7.0MB

Download
memory/2968-76-0x0000000000D00000-0x0000000001402000-memory.dmp

Filesize
7.0MB

Download
memory/2968-77-0x0000000000D00000-0x0000000001402000-memory.dmp

Filesize
7.0MB

Download
memory/2968-81-0x0000000000D00000-0x0000000001402000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads