Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

WarmCookie

131
Global rank
133 infographic chevron month
Month rank
126 infographic chevron week
Week rank
0
IOCs

WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.

Backdoor
Type
Unknown
Origin
1 April, 2024
First seen
20 January, 2025
Last seen
Also known as
Badspace

How to analyze WarmCookie with ANY.RUN

Type
Unknown
Origin
1 April, 2024
First seen
20 January, 2025
Last seen

IOCs

IP addresses
107.189.18.183
185.49.69.102
149.248.7.220
192.36.57.50
149.248.58.85
135.181.255.107
45.11.59.207
91.222.173.245
45.134.174.18
45.134.174.245
31.42.177.38
195.66.213.111
45.134.173.22
45.134.173.21
176.97.124.149
195.66.213.243
195.66.213.160
91.205.2.219
87.251.67.58
176.97.124.203
Domains
topsportracing.com
reports.checkfedexexp.com
mx1.info.tntseminars.com
rrfqm.site
windows.checkfedexexp.com
adbs.info.ultimacomputers.com
supports.checkfedexexp.com
appmin.checkfedexexp.com
duplified.com.co
branch1.checkfedexexp.com
mx1.info.ukshowroom.com
billing.checkfedexexp.com
mx1.info.toelicking.com
jianyun.com
dig-authentic.ipq.co
letjsnod.com
dedicated.vsys.host
savemo.shop
mx1.info.ultimacomputers.com
mx5.mailer.reasonablish.com
Last Seen at

Recent blog posts

post image
How Transport Company Gets Real-Time IOC and...
watchers 333
comments 0
post image
Release Notes: Threat Intelligence Reports, N...
watchers 2748
comments 0
post image
Enriching ANY.RUN's TI Feeds with Unique IOCs...
watchers 575
comments 0

What is Warmcookie malware?

WarmCookie, also referred to as BadSpace, is a two-stage backdoor malware that allows cybercriminals to gather victim information and deploy additional payloads. It is suspected to have been developed by an unidentified group of cybercriminals who are proficient in deploying sophisticated phishing campaigns.

The Warmcookie malware is mostly spread through phishing campaigns, as noted by various open-source intelligence (OSINT) sources. These emails often use job recruitment lures, making them appear legitimate and increasing the likelihood that recipients will open them.

As a two-stage backdoor malware, Warmcookie operates in 2 phases:

  • Initial stage: The first phase involves infecting the system and establishing an initial foothold. This stage is typically designed to be small and stealthy to avoid detection.
  • Secondary stage: After the initial infection, the second stage is activated. This phase offers more advanced capabilities, such as extensive data theft, deeper system infiltration, and the deployment of further malicious payloads.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Warmcookie malware technical details

The primary functionality of Warmcookie is to provide unauthorized remote access to compromised systems, allowing attackers to control the infected devices, exfiltrate sensitive data, and deploy additional malicious software.

Some of the key capabilities of Warmcookie include:

  • Allowing attackers to execute commands remotely on the infected system, giving them full control over the device.
  • Capturing and sending sensitive information, such as login credentials, financial data, and personal files, to the command and control (C2) server.
  • Downloading and executing additional malware, making it a versatile tool for multi-stage attacks.
  • Modifying system registries, creating scheduled tasks, and storing its DLL in inconspicuous locations for long-term access.
  • Establishing encrypted communication with its C2 server to receive instructions and exfiltrate data, making its traffic harder to detect and intercept by security tools.

Warmcookie execution process

To see how Warmcookie operates, let’s upload its sample to the ANY.RUN sandbox.

The infection begins when the victims receive phishing emails that appear to be personalized with their name and current employer, presenting a fake job offer. These emails contain a link, purportedly to an internal recruitment platform, which redirects the user to a landing page mimicking a legitimate recruitment site.

Warmcookie graph in ANY.RUN Warmcookie process graph in shown ANY.RUN sandbox

The fake landing page may prompt the victim to solve a CAPTCHA, making the site seem more legitimate before prompting the download of a heavily obfuscated JavaScript file named something like "JobOffer_Adecco_062024_XWYGQJOFSUQ.pdf.js." The double extension is designed to deceive users into believing it is a harmless PDF file rather than a dangerous JavaScript file.

Warmcookie report in ANY.RUN Warmcookie threat report generated by ANY.RUN

Once downloaded, the obfuscated JavaScript file executes a PowerShell script that uses Windows system utilities and services, such as BITS, to download the Warmcookie DLL from a specified URL and execute it via rundll32.exe.

To view logs of the script's execution, users can open the “Advanced details of the process” and navigate to the Script Tracer.

Warmcookie script in ANY.RUN Warmcookie script execution logs analysis in ANY.RUN

The Warmcookie DLL is then copied to “C:\ProgramData\RtlCpl\RtlCpl.dll,” and a scheduled task named "RtlCpl" is created to run it.

Warmcookie establishes communication with its command and control server and begins fingerprinting the victim's machine, collecting system information such as IP address, CPU details, volume serial number, DNS domain, computer name, and username. The malware can also capture screenshots, enumerate installed programs, execute arbitrary commands, drop files, and read file contents to send to the C2 server.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Warmcookie distribution methods

Similar to other malware like AgentTesla and Remcos, Warmcookie malware is typically delivered through social engineering techniques designed to trick victims into executing malicious software. The main delivery methods include:

  • Phishing emails: Emails pretending to be from recruiters or offering job opportunities, often with attachments or links that download the malware when clicked.
  • Malicious attachments: Word documents, PDFs, or Excel files that exploit software vulnerabilities to execute the malware when opened.
  • Malicious links: Links embedded in emails that direct victims to download the malware from compromised or malicious websites.

Conclusion

Warmcookie malware poses a significant threat due to its ability to provide remote control to attackers, steal sensitive data, deploy additional malicious payload, and maintain persistent access on compromised systems.

ANY.RUN is a cloud-based service that allows safe analysis of suspicious files and URLs, including Warmcookie malware. It enables anyone to observe malware behavior and collect indicators of compromise in a secure environment. With the help of ANY.RUN, you can easily understand Warmcookie's tactics to develop proper strategies for defending against it.

Sign up for ANY.RUN today - it's free!

HAVE A LOOK AT

Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
Backdoor screenshot
Backdoor
backdoor
A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More