warzonerat | 91b7d74c915549719b90515f7dc82586b304f305b662b2336766611775303092

Analysis

max time kernel
133s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
Size

1.4MB
MD5

226d09965a7206e7e91212da80e08ffb
SHA1

6decc224a3bb4614e4695c95ad2574eb2a13832c
SHA256

91b7d74c915549719b90515f7dc82586b304f305b662b2336766611775303092
SHA512

379005c6a479a8f14b3c3e4c5293350f6b870f75ee86f05d4b8cca04744685f9bba57af023897c4ab317d21e3451433064893b33f7c6a4f3a721b97c0d178d78
SSDEEP

12288:DUrx89Suu+roPvsz+DSWutLMXa+jkm3HMpknqPx8ZrbXCnuH57pUoyuDOeu9eWKg:

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

xls.medicelcoolers.cn:5200

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe\""	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4092-8-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4092-9-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4092-10-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4092-14-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe"	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe"	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

pid	process
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description pid process target process

PID 792 set thread context of 4092 792 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1620 792 WerFault.exe 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3352 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

pid process

792 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
792 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 792 226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description	pid	process	target process
PID 792 set thread context of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

pid	pid_target	process	target process
1620	792	WerFault.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

pid	process
3352	timeout.exe

description	pid	process
Token: SeDebugPrivilege	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

226d09965a7206e7e91212da80e08ffb_JaffaCakes118.execmd.exe226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe

description	pid	process	target process
PID 792 wrote to memory of 4500	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe
PID 792 wrote to memory of 4500	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe
PID 792 wrote to memory of 4500	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe
PID 4500 wrote to memory of 3352	4500	cmd.exe	timeout.exe
PID 4500 wrote to memory of 3352	4500	cmd.exe	timeout.exe
PID 4500 wrote to memory of 3352	4500	cmd.exe	timeout.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 792 wrote to memory of 4092	792	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
PID 4092 wrote to memory of 4936	4092	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe
PID 4092 wrote to memory of 4936	4092	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe
PID 4092 wrote to memory of 4936	4092	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe
PID 4092 wrote to memory of 4936	4092	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe
PID 4092 wrote to memory of 4936	4092	226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3352

C:\Users\Admin\AppData\Local\Temp\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\226d09965a7206e7e91212da80e08ffb_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 1028
2⤵
- Program crash
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 792 -ip 792
1⤵
PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/792-1-0x0000000000F20000-0x000000000108A000-memory.dmp

Filesize
1.4MB

Download
memory/792-2-0x0000000005EA0000-0x0000000006444000-memory.dmp

Filesize
5.6MB

Download
memory/792-3-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/792-4-0x0000000003430000-0x0000000003468000-memory.dmp

Filesize
224KB

Download
memory/792-5-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/792-11-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4092-8-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4092-9-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4092-10-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4092-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4936-12-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download