webmonitor | 16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e

General

Target

1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe
Size

583KB
MD5

1be5dfb676ea45c9b295f1ea843352bc
SHA1

7c116f899466987ab92b393d9b9dd4f423ad2670
SHA256

16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e
SHA512

c96dc8b6af3b1c6e0a894caefb30637b73271492b7996d202f1e2f4044986789d27f0a5355175e2fa2080b0e8a19684c9bea333e745eba753603d65e51cf79f9
SSDEEP

12288:kYe5yXuFDanhQ6zjJiWV2u+wMzpo7QjTwtkw7GPGbSEuO2I1n:6YSSZjgWVAlWUYtkw6O2Eu/Q

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-35-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-38-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-36-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-39-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-40-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-41-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-42-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-43-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-44-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-45-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-46-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-47-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-48-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-50-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-52-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2648-53-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

Drops startup file 1 IoCs

Processes:

1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FGFpvS.url	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1984-23-0x0000000004C50000-0x0000000004D39000-memory.dmp	upx
behavioral1/memory/2648-26-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-33-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-34-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-32-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-31-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-28-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-35-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-38-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-36-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-39-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-40-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-41-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-42-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-43-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-44-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-45-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-46-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-47-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-48-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-50-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-52-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2648-53-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	180.76.76.76
Destination IP	77.88.8.8
Destination IP	114.114.114.114
Destination IP	123.125.81.6
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	91.239.100.100
Destination IP	139.175.55.244
Destination IP	101.226.4.6
Destination IP	89.233.43.71

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

description pid process target process

PID 1984 set thread context of 2648 1984 1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

pid process

1984 1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe
1984 1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1984 1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

description	pid	process	target process
PID 1984 set thread context of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe

pid	process
1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe
1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 1984 wrote to memory of 2852	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	csc.exe
PID 1984 wrote to memory of 2852	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	csc.exe
PID 1984 wrote to memory of 2852	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	csc.exe
PID 1984 wrote to memory of 2852	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	csc.exe
PID 2852 wrote to memory of 2632	2852	csc.exe	cvtres.exe
PID 2852 wrote to memory of 2632	2852	csc.exe	cvtres.exe
PID 2852 wrote to memory of 2632	2852	csc.exe	cvtres.exe
PID 2852 wrote to memory of 2632	2852	csc.exe	cvtres.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe
PID 1984 wrote to memory of 2648	1984	1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xoz5a0ix\xoz5a0ix.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7C.tmp" "c:\Users\Admin\AppData\Local\Temp\xoz5a0ix\CSC9BD3D579FB294A89853B1E2E3B709990.TMP"
    3⤵
    PID:2632
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1B7C.tmp

Filesize
1KB

MD5
b9a8cea21dc4db0f0e6342313e9b30d1

SHA1
817143c18ea78f644561ce028cd940946dc3fdc6

SHA256
729d5c5fbc7cc3eeb17e48bb1ec9dca8003f7afe383dbaee1983a35203877d28

SHA512
4b21a8b8813afe3bb57aad0cf8eb0293b61fa8786da3c2193143acb8e28edcee77f6ff9e335ddc947c0a3bf3630ae875ef7d6620a15d1390bc253c8e50be993c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoz5a0ix\xoz5a0ix.dll

Filesize
14KB

MD5
e9bbc42faf24aa50b53c26bddabbabaf

SHA1
f3002ba0b9436d6f8606a275fc53217acf4a9bd8

SHA256
c93d4ce02934be881ea2d5457ee181bac7c5eb396fefb2542bef1b13baeb4755

SHA512
5a096f325471e0cc560b39b9d5a259cebed8ddd3cf7b64406688e8fc9c85b5ae5d61d8fcd4b0806ab5b0c0a7ff5d9bc84146a33c740c9308c5410e624438b44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoz5a0ix\xoz5a0ix.pdb

Filesize
47KB

MD5
93a4837e6c5dc846bdd3d0cf7b1b2f33

SHA1
bde547250a58e4bb57ef8ad39f1e3d03b510b272

SHA256
90cd368fd9fd2e2ed8922bba380ffc0728473979fd260241910ca9a8f46aca12

SHA512
b25dad30adfca2b33318d2f2f8cf6a7949e5e05298bc61d2ec0e920705e05effc84db67c1312c109751b39e7ce59cdf65ea5f210fa0099161eedc5fdd4f2bfae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xoz5a0ix\CSC9BD3D579FB294A89853B1E2E3B709990.TMP

Filesize
1KB

MD5
c292f1580170639f08980ee273782f34

SHA1
2ebd79de201119e0d886d248f2b6c65b8c5eb639

SHA256
60ce7255743e653fdd47fee5a4ec9d13d035176122d27ee95c955d7aa011cd1a

SHA512
1c05f46ddf8a22abd2dc7322eb9b1aeab52da9e3995a4ef98e8b19624984d2ea99c5b5540b1d34e3539b7dabb17bfa1c05771be7e3c610a637e66ddfca308740

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xoz5a0ix\xoz5a0ix.0.cs

Filesize
27KB

MD5
c1e277911a0bb12bc30f2de9d2805aea

SHA1
e91bbd080c2148fa4fd4389f7b9bf7b3df1d559b

SHA256
50b6b56f66a192dc2778bae2a1c2ede167be01a0dc4adffc71aaa147556dcffe

SHA512
c610e386287bbbdc276405d8cc907c8db803ba6ebde07eb64fa36daff8a28722b8f794157e4c5b8569814697a5c419631d2c386500a1e2d2214e31972b9ddd49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xoz5a0ix\xoz5a0ix.cmdline

Filesize
312B

MD5
a8924b5c0a84980076ceaf90a72c0449

SHA1
91f73b65d18b85f7df4e6c3ff0eb94dc1798885c

SHA256
102558da5477273eed5e080fcd81696d63ebf8d41847b760b9e69cc336b0d6f0

SHA512
dce6d21e5af8b83328ad23de608d0f60387f35f6a541dce6067097f2ba9b2b1e295db7d9a5459db5fe7fd5bc211c406e0b7393a2684005de0cea66b6b5f38a9d

Download Submit
memory/1984-6-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-0-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000AF0000-0x0000000000B8A000-memory.dmp

Filesize
616KB

Download
memory/1984-17-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1984-19-0x0000000004BC0000-0x0000000004C28000-memory.dmp

Filesize
416KB

Download
memory/1984-20-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1984-23-0x0000000004C50000-0x0000000004D39000-memory.dmp

Filesize
932KB

Download
memory/1984-37-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-31-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-39-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-34-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-32-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-28-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-24-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-35-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-38-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-26-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-36-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-33-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-40-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-41-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-42-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-43-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-44-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-45-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-46-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-47-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-48-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-50-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-52-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2648-53-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads