warmcookie | 74a7adba42d14c4325d64bb93857d44e269a096815df71f24e5a38bd5351842d

Analysis

max time kernel
599s
max time network
595s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decoded-2.js
Size

114KB
MD5

202ade5e6433d48697049f1962f1c87a
SHA1

cfead5849611f5e42092453afb7d3aa22174b223
SHA256

74a7adba42d14c4325d64bb93857d44e269a096815df71f24e5a38bd5351842d
SHA512

fa7ec940c62ede3bc1627a2f03922090ad114967efd15a7feea998b5abfa0ae9b48630d2376caaabe632a8aa1c7996d81dbcee0b9f9d30c6270f117650648685
SSDEEP

1536:UKucuwu/P9vckrgF4zjnAsR6KZs7/wpY0tOCMBh0ljjqcFs:UKFuf/P9UkG4zjCKo/eKBhYs

Score

10^/10

warmcookie backdoor defense_evasion execution

Malware Config

Extracted

Family

warmcookie

149.248.58.85

Attributes

mutex
3e4d7a5b-aa72-4d5f-8f8c-b292257af55c
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

Warmcookie family
warmcookie
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
backdoor warmcookie

Blocklisted process makes network request 17 IoCs

flow	pid	Process
41	4624	rundll32.exe
42	4624	rundll32.exe
43	4624	rundll32.exe
44	4624	rundll32.exe
45	4624	rundll32.exe
46	4624	rundll32.exe
47	4624	rundll32.exe
53	4624	rundll32.exe
54	4624	rundll32.exe
56	4624	rundll32.exe
57	4624	rundll32.exe
59	4624	rundll32.exe
60	4624	rundll32.exe
61	4624	rundll32.exe
62	4624	rundll32.exe
63	4624	rundll32.exe
64	4624	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
3524	msiexec.EXE
4624	rundll32.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2044	certutil.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Solid Digital.job	msiexec.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\decoded-2.js
1⤵
PID:3572

C:\Windows\system32\certutil.EXE
C:\Windows\system32\certutil.EXE -decode rad09BB6.tmp rad916B5.tmp
1⤵
- Deobfuscate/Decode Files or Information
PID:2044

C:\Windows\system32\msiexec.EXE
C:\Windows\system32\msiexec.EXE /y C:\Users\Admin\AppData\Local\Temp\rad916B5.tmp
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3524

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\ProgramData\Solid Digital\Updater.dll",Start /u
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad09BB6.tmp

Filesize
71KB

MD5
76e5a2cad9cc7f4d716f68bcb952b068

SHA1
0a249123c5f2c6f49cd7e650323e9eadb19f7e07

SHA256
e4e8ad7da6aedb908e277c4e5ee733c9e29acd2268aaf91d1341eeb55b3fb806

SHA512
6ad6910d26efa258faeedc03df2b9df4f295294be66a9701c577f107e975d8a00022c89f95f986e1aa85bcfdad0d8ee6faad32e17701ce56b59542642925ee78

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad916B5.tmp

Filesize
53KB

MD5
1a28984d6db3abdb967c0c19b56f887d

SHA1
b815a93dedd5575a77b5fa9c0d77a9bc783cdb27

SHA256
b2b67092d3978b0a199c949591bb1872cbc49b91494726a513be407abc2ca6a9

SHA512
63e255c48e9c36485e6e7bc31319fd407027829713cef93dd61edf132949ce3c2de741a70f6ba90347e3d0aa7112acc95b71a7405711eab925f5a491cd5d513f

Download Submit
memory/3524-5-0x0000000068B80000-0x0000000068B97000-memory.dmp

Filesize
92KB

Download
memory/4624-10-0x0000000068B80000-0x0000000068B97000-memory.dmp

Filesize
92KB

Download