warmcookie | a75cab3593ad35620817235a9bd7938c7adaa8b3ce12a2da20e3e145ac304346

Analysis

max time kernel
600s
max time network
594s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 21:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l.js
Size

747KB
MD5

97835729c58cae6501e9b3a3776e9906
SHA1

63012f62e00a491b83adaba8804d890ac809490a
SHA256

a75cab3593ad35620817235a9bd7938c7adaa8b3ce12a2da20e3e145ac304346
SHA512

0ed5d7c90dbb260a732dd990d40a69f0997f8390db0a4cecc18349965e052e13ff8f5ecb709b95b176cc7e3686fbb08775e4b97b2253aa7aef9a1212607e8964
SSDEEP

12288:q/VoiDR8Cx2ouvoqEZTwXasSNKF+uV6VBEx2:q/Vok2tI+w

Score

10^/10

warmcookie backdoor defense_evasion execution

Malware Config

Extracted

Family

warmcookie

149.248.58.85

Attributes

mutex
3e4d7a5b-aa72-4d5f-8f8c-b292257af55c
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

Warmcookie family
warmcookie
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
backdoor warmcookie

Blocklisted process makes network request 8 IoCs

flow	pid	Process
41	3412	rundll32.exe
43	3412	rundll32.exe
44	3412	rundll32.exe
51	3412	rundll32.exe
52	3412	rundll32.exe
54	3412	rundll32.exe
55	3412	rundll32.exe
56	3412	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1124	msiexec.EXE
3412	rundll32.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
312	certutil.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Software Allies.job	msiexec.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\l.js
1⤵
PID:4436

C:\Windows\system32\certutil.EXE
C:\Windows\system32\certutil.EXE -decode rad835CB.tmp rad32E7B.tmp
1⤵
- Deobfuscate/Decode Files or Information
PID:312

C:\Windows\system32\msiexec.EXE
C:\Windows\system32\msiexec.EXE /y C:\Users\Admin\AppData\Local\Temp\rad32E7B.tmp
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1124

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\ProgramData\Software Allies\Updater.dll",Start /u
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3412

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

5.114.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR

Response

5.114.82.104.in-addr.arpa

IN PTR

a104-82-114-5deploystaticakamaitechnologiescom
DNS

5.114.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR
DNS

5.114.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

167.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.190.18.2.in-addr.arpa

IN PTR

Response

167.190.18.2.in-addr.arpa

IN PTR

a2-18-190-167deploystaticakamaitechnologiescom
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

85.58.248.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.58.248.149.in-addr.arpa

IN PTR

Response

85.58.248.149.in-addr.arpa

IN PTR

1492485885vultrusercontentcom
DNS

24.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.73.42.20.in-addr.arpa

IN PTR

Response
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom

149.248.58.85:443

tls

rundll32.exe

480 B
212 B
7
5
149.248.58.85:443

tls

rundll32.exe

480 B
212 B
7
5
149.248.58.85:443

tls

rundll32.exe

480 B
212 B
7
5
149.248.58.85:443

tls

rundll32.exe

480 B
212 B
7
5
149.248.58.85:443

tls

rundll32.exe

480 B
212 B
7
5
149.248.58.85:443

tls

rundll32.exe

480 B
212 B
7
5
149.248.58.85:443

tls

rundll32.exe

480 B
212 B
7
5
149.248.58.85:443

tls

rundll32.exe

342 B
132 B
4
3

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

5.114.82.104.in-addr.arpa

dns

213 B
135 B
3
1

DNS Request

5.114.82.104.in-addr.arpa

DNS Request

5.114.82.104.in-addr.arpa

DNS Request

5.114.82.104.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

167.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

167.190.18.2.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

85.58.248.149.in-addr.arpa

dns

72 B
120 B
1
1

DNS Request

85.58.248.149.in-addr.arpa
8.8.8.8:53

24.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

24.73.42.20.in-addr.arpa
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

167.173.78.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad32E7B.tmp

Filesize
53KB

MD5
1a28984d6db3abdb967c0c19b56f887d

SHA1
b815a93dedd5575a77b5fa9c0d77a9bc783cdb27

SHA256
b2b67092d3978b0a199c949591bb1872cbc49b91494726a513be407abc2ca6a9

SHA512
63e255c48e9c36485e6e7bc31319fd407027829713cef93dd61edf132949ce3c2de741a70f6ba90347e3d0aa7112acc95b71a7405711eab925f5a491cd5d513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad835CB.tmp

Filesize
71KB

MD5
76e5a2cad9cc7f4d716f68bcb952b068

SHA1
0a249123c5f2c6f49cd7e650323e9eadb19f7e07

SHA256
e4e8ad7da6aedb908e277c4e5ee733c9e29acd2268aaf91d1341eeb55b3fb806

SHA512
6ad6910d26efa258faeedc03df2b9df4f295294be66a9701c577f107e975d8a00022c89f95f986e1aa85bcfdad0d8ee6faad32e17701ce56b59542642925ee78

Download Submit
memory/1124-5-0x0000000068B80000-0x0000000068B97000-memory.dmp

Filesize
92KB

Download
memory/3412-10-0x0000000068B80000-0x0000000068B97000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.