Malware
WarmCookie
Also known as: Badspace · Carrotstick · QUICKBIND
IoCs CSV
2 YARA rules
WarmCookie is backdoor that is capable of executing commands reading/writing files and capturing screenshots. It communicates with a command and control (C&C) server via HTTP to receive further instructions and exfiltrate stolen data. It is commonly distributed through phishing campaigns and malicious downloads, targeting unsuspecting users to infiltrate systems undetected.
Indicators of Compromise 15
Filename AutoPico.exe Filename SECOH-QAD.exe Filename SignInfoConsole.exe Filename VID001.exe Filename u992574.dll MD5 2915b3f8b703eb744fc54c81f4a9c67f MD5 38de5b216c33833af710e88f7f64fc98 MD5 41acb30b9d662d48b7b4fc0ac3d4b79f MD5 cc4d231df34e57f59eb970353c7d9de2 MD5 dbd8dbecaa80795c135137d69921fdba SHA-256 853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 SHA-256 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f SHA-256 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 SHA-256 afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 SHA-256 e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba
MITRE ATT&CK TTPs 2
YARA Detection Rules
WarmCookie_YARA_Detection
yara ai_generated
rule WarmCookie_Detection {
meta:
description = "Detects malicious COM interface usage associated with WarmCookie malware leveraging DCOM for lateral movement and execution"
author = "AI Generated"
strings:
$s1 = "CoCreateInstanceEx" ascii wide
$s2 = "IObjectHandle" ascii wide
$s3 = "IRemUnknown" ascii wide
$s4 = "Distributed COM" ascii wide
$s5 = "TaskScheduler" ascii wide
$s6 = "BITSAdmin" ascii wide
$s7 = "CoSetProxyBlanket" ascii wide
$s8 = "CLSIDFromString" ascii wide
$s9 = "CreateInstance" ascii wide
$s10 = "IStorage" ascii wide
condition:
any of ($s1, $s2, $s3) and
any of ($s4, $s5, $s6) and
any of ($s7, $s8, $s9, $s10) and
uint16(0) == 0x5A4D or uint16(0) == 0x4D5A
} WarmCookie_YARA_Detection
yara ai_generated
rule WarmCookie_Detection {
meta:
description = "Detects malware family WarmCookie leveraging COM abuse for lateral movement and persistence"
author = "AI Generated"
malware = "WarmCookie"
ttp = "T1059.001"
strings:
$s1 = "CoCreateInstance" ascii wide nocase
$s2 = "CLSID\\{*" ascii wide nocase
$s3 = "InprocServer32" ascii wide nocase
$s4 = "regsvr32.exe" ascii wide nocase
$s5 = "rundll32.exe" ascii wide nocase
$s6 = "comsvcs.dll" ascii wide nocase
$s7 = "MiniDumpWriteDump" ascii wide nocase
$s8 = "IMallocSpy" ascii wide nocase
$s9 = "IStorage" ascii wide nocase
$s10 = "IPersist" ascii wide nocase
$s11 = "IVariantChangeType" ascii wide nocase
$s12 = "CoInitialize" ascii wide nocase
$s13 = "CoUninitialize" ascii wide nocase
$s14 = "LoadLibrary" ascii wide nocase
$s15 = "CreateProcess" ascii wide nocase
$s16 = "CallWindowProc" ascii wide nocase
$s17 = "URLDownloadToFile" ascii wide nocase
$s18 = "WinHttpOpen" ascii wide nocase
$s19 = "CreateMutex" ascii wide nocase
$s20 = "SetWindowsHook" ascii wide nocase
$filename1 = "VID001.exe" ascii wide nocase
$filename2 = "SECOH-QAD.exe" ascii wide nocase
$filename3 = "AutoPico.exe" ascii wide nocase
$filename4 = "u992574.dll" ascii wide nocase
$filename5 = "SignInfoConsole.exe" ascii wide nocase
$hash1 = "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507" ascii
$hash2 = "2915b3f8b703eb744fc54c81f4a9c67f" ascii
$hash3 = "9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f" ascii
$hash4 = "38de5b216c33833af710e88f7f64fc98" ascii
$hash5 = "afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638" ascii
$hash6 = "cc4d231df34e57f59eb970353c7d9de2" ascii
$hash7 = "e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba" ascii
$hash8 = "dbd8dbecaa80795c135137d69921fdba" ascii
$hash9 = "853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453" ascii
$hash10 = "41acb30b9d662d48b7b4fc0ac3d4b79f" ascii
condition:
uint16(0) == 0x5A4D and
(any of $filename* or any of $hash*) and
(all of ($s1, $s2, $s3) or (all of ($s4, $s5, $s6) and any of ($s7, $s8, $s9, $s10, $s11))))
} ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.
Source Articles
Introduction to COM usage by Windows threats
Component Object Model (COM) is a foundational Windows technology increasingly exploited by threat actors for malicious purposes such as persistence, lateral movement, execution, and evasion. Malware families like Qakbot, Gh0stRAT, and WarmCookie leverage COM interfaces to interact with Windows services including Task Scheduler, WMI, and BITS, often bypassing traditional detection mechanisms. These threats use indirect vtable calls and DCOM for stealthy operations, making static analysis more complex. Understanding COM usage is critical for effective threat hunting and reverse engineering.
talos ·1w ago
Beyond IOCs: AI-enabled threat intelligence
Cisco Talos highlights the increasing abuse of Windows Component Object Model (COM) by malware families such as Qakbot and WarmCookie for lateral movement, persistence, and evasion. COM's use of opaque GUIDs and indirect vtable calls complicates manual analysis and static detection, allowing attackers to blend malicious activities with legitimate system processes. Defenders are advised to enhance their ability to detect and interpret COM-related artifacts to uncover hidden stages of the infection chain.
talos ·1w ago