Overview

overview

10

Static

static

3

1157923e5c...18.exe

windows7-x64

7

1157923e5c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe

  • Size

    621KB

  • MD5

    1157923e5cd51d747faf266da4e22de5

  • SHA1

    fc2cd39cfae0b4f5ea343e6286e3e98147fac320

  • SHA256

    9f44d74b5fe2e6353074ba70ade88d1747f038ca9902be34cb2ca95eecafc760

  • SHA512

    668e34d0dd732915573e99cae4fb5b7de590f89824fc1142ae3b5fd737af0489be5f69ca9121f8e80f2cb380795ca95addb582ef22a214942f0cc74e1f892a1f

  • SSDEEP

    12288:ACL1cBficFlfKUMXSxY8L/RMkH6d2c60NPgMS6gl0tfqdlW3fp+4V1H/eu1D1S3L:TRchPoU/M2USQYs

Score
10/10
webmonitorbackdoorinfostealerpersistenceratupx

Malware Config

Extracted

Family

webmonitor

C2

perlhabour.wm01.to:443

Attributes
  • config_key

    XNmE4WPjibOWPGiI4YZB52MvfFKluIbw

  • private_key

    RpKoGNosA

  • url_path

    /recv4.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 11 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:3612
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:2544
    • C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      PID:1028
    • C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: RenamesItself
      PID:1596
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1652
      2⤵
      • Program crash
      PID:4004
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2916 -ip 2916
    1⤵
      PID:2956

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe
      Filesize

      621KB

      MD5

      1157923e5cd51d747faf266da4e22de5

      SHA1

      fc2cd39cfae0b4f5ea343e6286e3e98147fac320

      SHA256

      9f44d74b5fe2e6353074ba70ade88d1747f038ca9902be34cb2ca95eecafc760

      SHA512

      668e34d0dd732915573e99cae4fb5b7de590f89824fc1142ae3b5fd737af0489be5f69ca9121f8e80f2cb380795ca95addb582ef22a214942f0cc74e1f892a1f

      Download Submit
    • memory/1596-25-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1596-23-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1596-19-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1596-22-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1596-21-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1596-20-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1596-17-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/2916-6-0x0000000005A20000-0x0000000005A42000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2916-8-0x0000000006000000-0x00000000065A4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2916-10-0x0000000005B40000-0x0000000005BD2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2916-11-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2916-12-0x0000000074D20000-0x00000000754D0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2916-14-0x0000000006B50000-0x0000000006BEC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2916-13-0x0000000005F70000-0x0000000005F7C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2916-9-0x0000000005A00000-0x0000000005A0C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2916-7-0x0000000005130000-0x0000000005138000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2916-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2916-5-0x0000000074D20000-0x00000000754D0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2916-4-0x0000000005140000-0x0000000005302000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2916-3-0x0000000004F00000-0x0000000004F66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2916-2-0x0000000002930000-0x0000000002958000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2916-24-0x0000000074D20000-0x00000000754D0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2916-1-0x0000000000470000-0x0000000000512000-memory.dmp
      Filesize

      648KB

      Download