webmonitor | f9c069523cc221dcea4a5b46281e6752ba4a567480b7c81e3a80d369c73b07ff

Analysis

max time kernel
141s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
Size

1.3MB
MD5

fb4e9686e8d934c6e71f69fbf69cbba6
SHA1

91b52740a1d9a46bddb568cfc6e9d035c5160b22
SHA256

f9c069523cc221dcea4a5b46281e6752ba4a567480b7c81e3a80d369c73b07ff
SHA512

36c09106eeaa9bbd452fef2bb8d6dda58e1894f1a54963af4b27f61c73ddbf45bb6c523b10a18a22dce138fb6fa5ffba72a7190c6a9e3c2ff24eaf166ba2f87d
SSDEEP

24576:K/86WY0n6q9nXshv7ogKw+/dA1hhLdiIIjE6YdZxua7Fz:nSrqRXshMgushQm6Yjxua7Fz

Score

10^/10

webmonitor zgrat backdoor infostealer rat upx

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-4-0x00000000021C0000-0x0000000002236000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-5-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-6-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-8-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-10-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-12-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-14-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-16-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-18-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-20-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-22-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-24-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-26-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-28-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-30-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-32-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-34-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-36-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-38-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-40-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-42-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-44-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-48-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-46-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-50-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-52-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-56-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-54-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-58-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-60-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-62-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-68-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-66-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1888-64-0x00000000021C0000-0x000000000222F000-memory.dmp	family_zgrat_v1

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3012-2327-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral1/memory/3012-2341-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3012-2327-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/3012-2341-0x0000000000400000-0x00000000005F7000-memory.dmp	upx

Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.141.152.26
Destination IP 1.2.4.8
Destination IP 185.141.152.26
Destination IP 185.141.152.26
Destination IP 1.2.4.8

description	ioc
Destination IP	185.141.152.26
Destination IP	1.2.4.8
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	1.2.4.8

Suspicious use of SetThreadContext 1 IoCs

Processes:

fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe

description	pid	process	target process
PID 1888 set thread context of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exepowershell.exe

pid process

1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
2932 powershell.exe

pid	process
1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exefb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
Token: SeDebugPrivilege	3012	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeShutdownPrivilege	3012	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exeWScript.exe

description	pid	process	target process
PID 1888 wrote to memory of 912	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	WScript.exe
PID 1888 wrote to memory of 912	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	WScript.exe
PID 1888 wrote to memory of 912	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	WScript.exe
PID 1888 wrote to memory of 912	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	WScript.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
PID 912 wrote to memory of 2932	912	WScript.exe	powershell.exe
PID 912 wrote to memory of 2932	912	WScript.exe	powershell.exe
PID 912 wrote to memory of 2932	912	WScript.exe	powershell.exe
PID 912 wrote to memory of 2932	912	WScript.exe	powershell.exe
PID 1888 wrote to memory of 3012	1888	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe	fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Zdazrmkyf.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Adobe\Vegas.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- C:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Zdazrmkyf.vbs

Filesize
179B

MD5
d7208d15ac113b64589278beda42796c

SHA1
8989f6676a01a34240ad7f6c275bfdaa0e5836e1

SHA256
2d9b6aee07eb1062249ca329f22d5bbeb04dcd5ed40ba06fb53e3e4667f9e41b

SHA512
2ad9cf8b3a6f0960e41eb7a12641320338899b6da395e46883caf85d73bd529027bcec252e3eace02cc5a7c91639f94209962f2458188eb965465673929cb57e

Download Submit
memory/1888-48-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-8-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-3-0x00000000054A0000-0x0000000005594000-memory.dmp

Filesize
976KB

Download
memory/1888-4-0x00000000021C0000-0x0000000002236000-memory.dmp

Filesize
472KB

Download
memory/1888-5-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-6-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-1-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-10-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-12-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-14-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-16-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-18-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-20-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-22-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-24-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-26-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-28-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-30-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-44-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-34-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-36-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-38-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-40-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-42-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-32-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-2-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1888-46-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-50-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-52-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-56-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-54-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-58-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-60-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-62-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-68-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-66-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-64-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1888-329-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-2103-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1888-0-0x00000000000C0000-0x000000000020E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-2329-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-2332-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-2333-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/2932-2334-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-2335-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/2932-2336-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/2932-2337-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-2327-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/3012-2339-0x00000000032E0000-0x00000000042E0000-memory.dmp

Filesize
16.0MB

Download
memory/3012-2341-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/3012-2342-0x00000000032E0000-0x00000000042E0000-memory.dmp

Filesize
16.0MB

Download