webmonitor | d6593053bda046cd96e0e5e508e0f57622c464738838b84984e35e683d46c414

General

Target

fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe
Size

1.9MB
MD5

fac4b5a9c4f10517f44d4ae172f6473c
SHA1

2304b22499e60fa87ea5f9d3fee5f6d9ecacf9ee
SHA256

d6593053bda046cd96e0e5e508e0f57622c464738838b84984e35e683d46c414
SHA512

6b8dc4430f6068eaac9d27e4f322d1ae921f56b9940e266ba44ed791917c37b14bb9cb1ea3b861da36d9efe44af7acf75264e19d60a5fb1e89deabd1afa1bdbc
SSDEEP

24576:qYOSCmr2OsBgo0q4wMEX1RTdVfm6ZWZmMv1XdyqTQV0QQXTMrBwtP9kvIuyR:qq/oHMEX1XVO6o91tn6IPtP9kvSR

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes

config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
private_key
yvkn5wM8E
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2608-16-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/2608-17-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/2608-19-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/2608-25-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/2608-27-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/2608-30-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/2608-31-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2268-3-0x0000000000200000-0x0000000000212000-memory.dmp	CustAttr

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	185.141.152.26
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	1.2.4.8

Suspicious use of SetThreadContext 1 IoCs

Processes:

fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe

description pid process target process

PID 2268 set thread context of 2608 2268 fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe

pid process

2268 fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2268 fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe
Token: SeShutdownPrivilege 2608 RegSvcs.exe

description	pid	process	target process
PID 2268 set thread context of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe

pid	process
2772	schtasks.exe

pid	process
2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2608	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe

description	pid	process	target process
PID 2268 wrote to memory of 2772	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	schtasks.exe
PID 2268 wrote to memory of 2772	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	schtasks.exe
PID 2268 wrote to memory of 2772	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	schtasks.exe
PID 2268 wrote to memory of 2772	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	schtasks.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe
PID 2268 wrote to memory of 2608	2268	fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fac4b5a9c4f10517f44d4ae172f6473c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WLmzCRrQBmjpU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp951E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp951E.tmp

Filesize
1KB

MD5
4cf9b2ea4f3fdc41268ce6f84d5b3bb5

SHA1
4179ba7a0cc0048cd46c178b429dc530757437b3

SHA256
5bf365671fbe7bf7de8b7e31afdd2ef99e804c40eb68d1189cf7030183e64550

SHA512
04faa5e009bc8db801dc2f57afcc92eb27cb4ecf33ad99a1ee9dca332549084d61fb053836f245898d003f4a7e3030a6d01bca7ef866f33c87d0c8d18ebaf552

Download Submit
memory/2268-0-0x0000000000C50000-0x0000000000E48000-memory.dmp

Filesize
2.0MB

Download
memory/2268-1-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2268-2-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2268-3-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/2268-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2268-5-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2268-6-0x0000000005B90000-0x0000000005CC8000-memory.dmp

Filesize
1.2MB

Download
memory/2268-7-0x0000000005CC0000-0x0000000005DB4000-memory.dmp

Filesize
976KB

Download
memory/2268-26-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2608-15-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-16-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-17-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-19-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-25-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-13-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-27-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-29-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2608-30-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-31-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2608-32-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads