Malware

WarmCookie

Also known as: Badspace · Carrotstick · QUICKBIND

IoCs CSV 2 YARA rules

WarmCookie is backdoor that is capable of executing commands reading/writing files and capturing screenshots. It communicates with a command and control (C&C) server via HTTP to receive further instructions and exfiltrate stolen data. It is commonly distributed through phishing campaigns and malicious downloads, targeting unsuspecting users to infiltrate systems undetected.

Indicators of Compromise 15

MITRE ATT&CK TTPs 2

YARA Detection Rules

WarmCookie_YARA_Detection
yara ai_generated
rule WarmCookie_Detection {
    meta:
        description = "Detects malicious COM interface usage associated with WarmCookie malware leveraging DCOM for lateral movement and execution"
        author = "AI Generated"

    strings:
        $s1 = "CoCreateInstanceEx" ascii wide
        $s2 = "IObjectHandle" ascii wide
        $s3 = "IRemUnknown" ascii wide
        $s4 = "Distributed COM" ascii wide
        $s5 = "TaskScheduler" ascii wide
        $s6 = "BITSAdmin" ascii wide
        $s7 = "CoSetProxyBlanket" ascii wide
        $s8 = "CLSIDFromString" ascii wide
        $s9 = "CreateInstance" ascii wide
        $s10 = "IStorage" ascii wide

    condition:
        any of ($s1, $s2, $s3) and
        any of ($s4, $s5, $s6) and
        any of ($s7, $s8, $s9, $s10) and
        uint16(0) == 0x5A4D or uint16(0) == 0x4D5A
}
WarmCookie_YARA_Detection
yara ai_generated
rule WarmCookie_Detection {
    meta:
        description = "Detects malware family WarmCookie leveraging COM abuse for lateral movement and persistence"
        author = "AI Generated"
        malware = "WarmCookie"
        ttp = "T1059.001"

    strings:
        $s1 = "CoCreateInstance" ascii wide nocase
        $s2 = "CLSID\\{*" ascii wide nocase
        $s3 = "InprocServer32" ascii wide nocase
        $s4 = "regsvr32.exe" ascii wide nocase
        $s5 = "rundll32.exe" ascii wide nocase
        $s6 = "comsvcs.dll" ascii wide nocase
        $s7 = "MiniDumpWriteDump" ascii wide nocase
        $s8 = "IMallocSpy" ascii wide nocase
        $s9 = "IStorage" ascii wide nocase
        $s10 = "IPersist" ascii wide nocase
        $s11 = "IVariantChangeType" ascii wide nocase
        $s12 = "CoInitialize" ascii wide nocase
        $s13 = "CoUninitialize" ascii wide nocase
        $s14 = "LoadLibrary" ascii wide nocase
        $s15 = "CreateProcess" ascii wide nocase
        $s16 = "CallWindowProc" ascii wide nocase
        $s17 = "URLDownloadToFile" ascii wide nocase
        $s18 = "WinHttpOpen" ascii wide nocase
        $s19 = "CreateMutex" ascii wide nocase
        $s20 = "SetWindowsHook" ascii wide nocase
        $filename1 = "VID001.exe" ascii wide nocase
        $filename2 = "SECOH-QAD.exe" ascii wide nocase
        $filename3 = "AutoPico.exe" ascii wide nocase
        $filename4 = "u992574.dll" ascii wide nocase
        $filename5 = "SignInfoConsole.exe" ascii wide nocase
        $hash1 = "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507" ascii
        $hash2 = "2915b3f8b703eb744fc54c81f4a9c67f" ascii
        $hash3 = "9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f" ascii
        $hash4 = "38de5b216c33833af710e88f7f64fc98" ascii
        $hash5 = "afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638" ascii
        $hash6 = "cc4d231df34e57f59eb970353c7d9de2" ascii
        $hash7 = "e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba" ascii
        $hash8 = "dbd8dbecaa80795c135137d69921fdba" ascii
        $hash9 = "853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453" ascii
        $hash10 = "41acb30b9d662d48b7b4fc0ac3d4b79f" ascii

    condition:
        uint16(0) == 0x5A4D and 
        (any of $filename* or any of $hash*) and
        (all of ($s1, $s2, $s3) or (all of ($s4, $s5, $s6) and any of ($s7, $s8, $s9, $s10, $s11))))
}

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles