warmcookie | 2922d5a4f2de932813d21422303133e01b9ea0ead5714b58f075f6afaf960b80 | Triage

Sharing

General

Target

Survivalcraft_2_3_Multiplayer_x23_01_31_VD_zip.zip
Size

16.7MB
Sample

250129-wgq29stnck
MD5

2c341d93784288891a95dcebdb13f0cc
SHA1

3221d07491579b7d4290c22688760b64360cdb14
SHA256

2922d5a4f2de932813d21422303133e01b9ea0ead5714b58f075f6afaf960b80
SHA512

05cacc08227cc34c3beda2ba521a6c8605d8194924c627f46bd3da2d1bbe798cb5ad2b4061927e1521aef98cf579fc2607c41f62b1158c4e500a38a5a4a6397a
SSDEEP

393216:MSRqleDPCJUDaek0bDrnnmmjestwC0GfeQfUpLPKO4zojRFBwQZJjw1RuCX0:/6eGJeR3znfeywITfUlyOTqQZd6PE

Score

10^/10

warmcookie backdoor discovery execution

Malware Config

Extracted

Family

warmcookie

Targets

- Target
  
  Assets/Audio/Creatures/Moose/Moose2.wav
- Size
  
  21KB
- MD5
  
  103390a32f727ba50eb75248803a1b14
- SHA1
  
  666247d525deeb6edf12388703a2413a38a04d79
- SHA256
  
  faaf70fef31d8d18c913cba8bbf0f60930231537544c6189f07c00d5350f3e82
- SHA512
  
  9cec79833d9193c2960c13915f208b08446073cba5cbd6fece37ba19221c0462f33357833cdfc171343e07bd5f35d4b5a0e003868e2550dd67c8af83cc5a2d66
- SSDEEP
  
  384:tg0YDTuph4qV6ShFyFBizLSUTu5qYqjO3tfKiCySWvQch5l6j2nlQi4jR8NhmmdC:S7HghVRhFCBizLSUTu5/VJKiCvW4cRmF
Score

6^/10

execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral1 behavioral2
- Target
  
  Engine.dll
- Size
  
  550KB
- MD5
  
  52bf3551a5f058d2d1868f2580871c56
- SHA1
  
  295aa650cf394157310f9ad1a2477f9f928c2593
- SHA256
  
  9d7b1ed9bf64c169f29ea7288eaeed716d78438d4a56354001a99a4c4e2fd62e
- SHA512
  
  2968c55dae5a9e706019babc42a8ad9411096b15646bad91700636c5e3febcf70f0e4c3a31e42420b612ce44c43815d89e9e980d7f4f8932364279198942c4ab
- SSDEEP
  
  12288:rbrqQnWjl9DpJMvIcsJ35mEvu0yquL2ZlH:PrBWjLtJMvyJmEvpyp2ZlH
Score

1^/10
behavioral3 behavioral4
- Target
  
  EntitySystem.dll
- Size
  
  57KB
- MD5
  
  57a6158a565357dad92729b657a5097c
- SHA1
  
  d29f759fdb2287405f4930524e923eeface24ca8
- SHA256
  
  01f8c69e17e4adee871611a25a3c509720085a9c19bf76b27154e0e13bc6d31e
- SHA512
  
  d0defd105f6e09834ec31f20f72cbac1dd10624ec4e9a270dbf53bcf483737f784b58f2bb3a7d38ea94f88e64c07e9ac0b063180368aff8c16d59d5513ecef29
- SSDEEP
  
  1536:xTqImxLSYGTUl0MndjN+CGAiQoblD8dZM:xZmxLLKUC+jviQEDMK
Score

1^/10
behavioral5 behavioral6
- Target
  
  LiteNetLib.dll
- Size
  
  96KB
- MD5
  
  bc39826a548f1eacb0f7dc51e09d3329
- SHA1
  
  b394df0a0c4d88f355d2d52a2c1dbd509f1cd139
- SHA256
  
  b39c2205fc6b09173928d24455acaad92964fd93fd86433ad98f9a26942ae54e
- SHA512
  
  8d8ec61ce7452b3bce45c2f67afd894cee6676fc3f67b3077700333211b2e8acd6f59b5376e811f2af7bd245819dc9da986ba5c78685442a6b468fcb8434e13c
- SSDEEP
  
  1536:NJDK8lNBdVHz5vaQ43HriUGHDrQWoitIqsO/46MJmRrrL:jWONRz5vG3LWsqs5PJmR7
Score

1^/10
behavioral7 behavioral8
- Target
  
  Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  715a1fbee4665e99e859eda667fe8034
- SHA1
  
  e13c6e4210043c4976dcdc447ea2b32854f70cc6
- SHA256
  
  c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
- SHA512
  
  bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
- SSDEEP
  
  12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
Score

1^/10
behavioral10 behavioral9
- Target
  
  OpenAL/x64/openal32.dll
- Size
  
  407KB
- MD5
  
  2b5a427b85eea53675484405af5010e0
- SHA1
  
  19201c0fb48ed20effd74de7989c2fa45326e35e
- SHA256
  
  f42706c862bc3d66550eb0a929bd5cb195c7a1f6a181cc854d59fc124d771023
- SHA512
  
  f1793a8d9402da2d23e14046ca2618bdb5fc0dd8986880f07d54df8fd3b23359de9d9b515f53b072a1d843b492d000ac5f2716ceb01f3f9d694e1aa8c4cf10d3
- SSDEEP
  
  6144:ipdaQesGCdaTNOznuivPI6YXaZGQTH0PBXWSD1y/X4uI+D:wTesGgaTNO6ivPjKaZG4X4uI+D
Score

10^/10

warmcookie backdoor
- Warmcookie family
  warmcookie
- Warmcookie, Badspace
  Warmcookie aka Badspace is a backdoor written in C++.
  backdoor warmcookie
behavioral11 behavioral12
- Target
  
  OpenAL/x86/openal32.dll
- Size
  
  688KB
- MD5
  
  eb6d3a54c9d8ad689311f58a28582bf0
- SHA1
  
  ebbba61fd88c2e61a2e9d02a05532dc3b359dd44
- SHA256
  
  a22b03451246bdbb4a136b838f7a301651999dd0e1f979c09c27017337b64b60
- SHA512
  
  fdee08beaa86bce313d9747db6796e24cbd878ad9dee04b277a4c6a4d88e50799e6c4f2c93ceaa0b8270ff632f74f2ec783de35cb43889c55278df85ecce3515
- SSDEEP
  
  12288:R+zcxi8mKyKs2WfN9gWzzkZz5fQoDtL+qyy8FOsY:R+uiYO2sNCWzzkZz5XPCOp
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  OpenTK.dll
- Size
  
  3.8MB
- MD5
  
  f53fc357a78ebb49d68d11ab84ac207b
- SHA1
  
  7aa877ccaffd3017bea679904b2bbf6101692a60
- SHA256
  
  fd7cb5fc016a15c619afe5d111b7d3b243aba210c32be279e80b72aa3290a8aa
- SHA512
  
  c66a3143eaaa2d0202acc8b56516008ad534626126f2bf49ce8c4622cb384f04a7be8681d3774cf1eacd78edb633b7ee9c0542ac699cf4141fdc9f6a3f8cc367
- SSDEEP
  
  24576:TKo+np+n3CGBO9XNTdlCOR46nKOwJWfbLXVFyeGRjFw/thyMa3xB:/CGBO9XNTXKpgTzSjWJa3
Score

1^/10
behavioral15 behavioral16
- Target
  
  Survivalcraft.exe
- Size
  
  2.0MB
- MD5
  
  a88eade8ef55207bb2cd93a5683336ec
- SHA1
  
  15a249a01c70264548093fede9a29925602842bd
- SHA256
  
  c5da3e9fff5d4b4327e4de3be09b826e9c339a2d72f0d55a6b1ad0df383ce179
- SHA512
  
  3817e76ff6afdeadaccf4196581dbe6f944c3bbf6fd9c5d088b2a4cfc0c2818c7314b3c18cdf0e6d7ebbf1b07817cfcd899859c6433ae2df7dc79b54efd90227
- SSDEEP
  
  49152:KF7lnLRWUAhQjlQj/35MOUrPHf68k1V8:KF7ln9WPz/35MOUUV
Score

10^/10

warmcookie backdoor
- Warmcookie family
  warmcookie
- Warmcookie, Badspace
  Warmcookie aka Badspace is a backdoor written in C++.
  backdoor warmcookie
behavioral17 behavioral18
- Target
  
  install.sh
- Size
  
  755B
- MD5
  
  0236640f3131e5d24dc99177259ad1ee
- SHA1
  
  1500a57991961cd103b845b8ecd1dfdac37a3cbc
- SHA256
  
  2a27ec723863f8f558a93448080264829c29d7fe70740fee46eea550d8a9f0bc
- SHA512
  
  2566b0a860d40fe981c5a9b25096de313aa76a4e316477f40ef1298f7202458f0d7367e41a4fd8d256702ef8be4b29cacf9dd0fd5e514f4fc90c0add19e3283f
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  start.sh
- Size
  
  238B
- MD5
  
  fb8b542cb42667070d7595962d57a40f
- SHA1
  
  0a353d32f08d6ec9acb0a0e8b5262fcea3df8bec
- SHA256
  
  a2dc63fd4081a38e93a91bc9cf8ff59ccb16a25482a2471e91b638a3910544d9
- SHA512
  
  45e31b4a5611c27fafe3e067dfc14d4229559641e22a557db70d09b4ae8742d756125118fcc9c43d5113bc373f48c6838c20bec10f7048c5f794bd42cfecf3de
Score

3^/10

discovery
behavioral21 behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

backdoorwarmcookie

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

warmcookiebackdoor

behavioral12

warmcookiebackdoor

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

warmcookiebackdoor

behavioral18

warmcookiebackdoor

behavioral19

behavioral20

behavioral21

behavioral22