webmonitor | 314f0b21f24f66667f7368e97ab3074508efe5ee811e5984ab4d884fccdc6f3b

General

Target

091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe
Size

737KB
MD5

091594da96c121bd3e18c5a85bfe27c1
SHA1

2e67b46334e1b1aae5c27c919f517ba759c00ce4
SHA256

314f0b21f24f66667f7368e97ab3074508efe5ee811e5984ab4d884fccdc6f3b
SHA512

19cfa75ecfc71e8dd32fc8af6639bf6c0bbb67665e5010754c38b68eae7ccae59fb4ac2852f5b7776661b69975fbdb025c629a919fffbc56bc1c5ba0d4bb2e1a
SSDEEP

12288:HxLAayUuy3hJA7pS4evYDyjqdGiq8QhE9rnHt+Sr5WGLxMLWmAijgugFputYdZt:HZyShJAc4evsW4Gib0EJN+Sr5vKWmAw4

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

C2

web77.wm01.to:443

Attributes

config_key
Yx500sfaueJo0wEDjjDx6FU3y2XQM37M
private_key
GixqWBITl
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 10 IoCs

resource	yara_rule
behavioral1/memory/2772-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-10-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-11-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-13-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-14-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-15-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor
behavioral1/memory/2772-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_webmonitor

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-4-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-5-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-7-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-8-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-10-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-11-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-13-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-14-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-15-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/memory/2772-17-0x0000000000400000-0x0000000000537000-memory.dmp	upx

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	1.2.4.8

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-4dd3 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-4dd3.exe"	091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2772	091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2772	091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\091594da96c121bd3e18c5a85bfe27c1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-1-0x0000000077A30000-0x0000000077A31000-memory.dmp

Filesize
4KB

Download
memory/2772-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-2-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2772-3-0x0000000077A10000-0x0000000077B90000-memory.dmp

Filesize
1.5MB

Download
memory/2772-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-6-0x0000000077A10000-0x0000000077B90000-memory.dmp

Filesize
1.5MB

Download
memory/2772-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-10-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-11-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-14-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads