Overview

overview

10

Static

static

3

1be5dfb676...18.exe

windows7-x64

10

1be5dfb676...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe

  • Size

    583KB

  • MD5

    1be5dfb676ea45c9b295f1ea843352bc

  • SHA1

    7c116f899466987ab92b393d9b9dd4f423ad2670

  • SHA256

    16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e

  • SHA512

    c96dc8b6af3b1c6e0a894caefb30637b73271492b7996d202f1e2f4044986789d27f0a5355175e2fa2080b0e8a19684c9bea333e745eba753603d65e51cf79f9

  • SSDEEP

    12288:kYe5yXuFDanhQ6zjJiWV2u+wMzpo7QjTwtkw7GPGbSEuO2I1n:6YSSZjgWVAlWUYtkw6O2Eu/Q

Score
10/10
webmonitorbackdoorinfostealerratupx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes
  • config_key

    ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4

  • private_key

    X2HBeL4iM

  • url_path

    /recv4.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 15 IoCs
  • Drops startup file 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 17 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1be5dfb676ea45c9b295f1ea843352bc_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q4o3gzvc\q4o3gzvc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B5A.tmp" "c:\Users\Admin\AppData\Local\Temp\q4o3gzvc\CSCDC7EB43C2EED4D61AB19B8F2DE766B2E.TMP"
        3⤵
          PID:4212
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
          PID:2372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES7B5A.tmp
        Filesize

        1KB

        MD5

        01fa563d74abf342916cbeb9b74b5c00

        SHA1

        6eaf1fcd1686a4a0a73719603a1c70b47ee8ea62

        SHA256

        a749f61e844e392ccc0d34b41a79a00a3a3abfab0fdd9d1a204a545880bdd7b2

        SHA512

        71dff627bd4e666bc79ec56dd5382883fec14df7e75e8e059eb961f01ed954ec6d6c9e414173eb9c3362d18da2e681e976a5aad2928e412f75a5099c540418da

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\q4o3gzvc\q4o3gzvc.dll
        Filesize

        14KB

        MD5

        ca0a42486665810d82d281c8d5dfde5f

        SHA1

        424225de4e341534a176eb63ab48610f7451f40a

        SHA256

        66c5df0c4f202d6384b424d807762767207a56c8ab92f0893f8bc851fd68ebb0

        SHA512

        598e1b3e5b3a32470c974135cdc44f1b44f1d19732f9034bc9796b36e3b7b2456a01ea558269aeb8e50e5c708b25c7fe20cbbc006c12f021eac3e26f70d4ce6a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\q4o3gzvc\q4o3gzvc.pdb
        Filesize

        47KB

        MD5

        4b015f9ea9ccc58eedad79f929b024e7

        SHA1

        92d5cf104d7107b15236f9635ecff2c52d3d1b4b

        SHA256

        ec0f065d2dcbc3625afb5e4a8b9ea357a1df38fe342ab94cc865b39a7628d2cf

        SHA512

        ae1b13f2ceba4904c938f8ba27d56f94a09dbbf956316a3ca61f868f405ecd60b4379f4e4fc3fbc491a532841c53988a0cfbf9b4b0b5521aaccda0781bb60a77

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\q4o3gzvc\CSCDC7EB43C2EED4D61AB19B8F2DE766B2E.TMP
        Filesize

        1KB

        MD5

        f84073808a50d6e7d8519100f7cbaf46

        SHA1

        7c333ca847b73f8816d0efa4b946e832ec0ea58a

        SHA256

        8433c6e574850d02e8dbe001b887ab21d60f8afddc5041b1b2776992e8ce0cd6

        SHA512

        64f01af5f89c4d7e85abdff12362687c4c2a4429e060e35bc4ac18ef9b05a0a7f44e7336ab90fe91826ce30aec207ff147726a3c80e4d3ad86916d80b07147ed

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\q4o3gzvc\q4o3gzvc.0.cs
        Filesize

        27KB

        MD5

        c1e277911a0bb12bc30f2de9d2805aea

        SHA1

        e91bbd080c2148fa4fd4389f7b9bf7b3df1d559b

        SHA256

        50b6b56f66a192dc2778bae2a1c2ede167be01a0dc4adffc71aaa147556dcffe

        SHA512

        c610e386287bbbdc276405d8cc907c8db803ba6ebde07eb64fa36daff8a28722b8f794157e4c5b8569814697a5c419631d2c386500a1e2d2214e31972b9ddd49

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\q4o3gzvc\q4o3gzvc.cmdline
        Filesize

        312B

        MD5

        13c3e7f1333b96fb692f1cff561c8228

        SHA1

        e5d268f4dc54c42977a3ac3b3e7e1cee70082c03

        SHA256

        54904f1afaa6fbbfb0ad5ae15e55d1aef0fff394a633c764dfe6437784f73bb7

        SHA512

        ff4b7835839fb0713e09df08f3aab2d0741afd2411c66131f508bf4ecc62f467da38d4b33903f239960ee78030070dc60deadfb449ce98a7a352ed38f63f66c3

        Download Submit

      • memory/2372-27-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-37-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-46-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-45-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-44-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-43-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-42-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-41-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-39-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-26-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-38-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-36-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-29-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-31-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-32-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-33-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-34-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/2372-35-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/4400-30-0x00000000744A0000-0x0000000074C50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4400-5-0x00000000744A0000-0x0000000074C50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4400-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4400-25-0x0000000005CC0000-0x0000000005D5C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4400-24-0x0000000005A10000-0x0000000005AF9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/4400-21-0x00000000055C0000-0x00000000055CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4400-20-0x00000000059A0000-0x0000000005A08000-memory.dmp

        Filesize

        416KB

        Download

      • memory/4400-19-0x0000000005400000-0x0000000005492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4400-17-0x0000000002EF0000-0x0000000002EFA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4400-1-0x00000000009E0000-0x0000000000A7A000-memory.dmp

        Filesize

        616KB

        Download