Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/04/2024, 05:04
Behavioral task
behavioral1
Sample
091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe
-
Size
737KB
-
MD5
091594da96c121bd3e18c5a85bfe27c1
-
SHA1
2e67b46334e1b1aae5c27c919f517ba759c00ce4
-
SHA256
314f0b21f24f66667f7368e97ab3074508efe5ee811e5984ab4d884fccdc6f3b
-
SHA512
19cfa75ecfc71e8dd32fc8af6639bf6c0bbb67665e5010754c38b68eae7ccae59fb4ac2852f5b7776661b69975fbdb025c629a919fffbc56bc1c5ba0d4bb2e1a
-
SSDEEP
12288:HxLAayUuy3hJA7pS4evYDyjqdGiq8QhE9rnHt+Sr5WGLxMLWmAijgugFputYdZt:HZyShJAc4evsW4Gib0EJN+Sr5vKWmAw4
Malware Config
Extracted
webmonitor
web77.wm01.to:443
-
config_key
Yx500sfaueJo0wEDjjDx6FU3y2XQM37M
-
private_key
GixqWBITl
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 10 IoCs
resource yara_rule behavioral1/memory/2772-4-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-5-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-7-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-8-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-10-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-11-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-13-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-14-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-15-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor behavioral1/memory/2772-17-0x0000000000400000-0x0000000000537000-memory.dmp family_webmonitor -
resource yara_rule behavioral1/memory/2772-0-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-4-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-5-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-7-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-8-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-10-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-11-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-13-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-14-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-15-0x0000000000400000-0x0000000000537000-memory.dmp upx behavioral1/memory/2772-17-0x0000000000400000-0x0000000000537000-memory.dmp upx -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 1.2.4.8 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-4dd3 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-4dd3.exe" 091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2772 091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2772 091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe