General

  • Target

    4c48175a44d89ef8d6c92b8473eba6a6_JaffaCakes118

  • Size

    5.2MB

  • Sample

    240516-v9jcfsga4t

  • MD5

    4c48175a44d89ef8d6c92b8473eba6a6

  • SHA1

    de0541f008f9e606f799069d90d9f3ebd9d1a70d

  • SHA256

    d482d7e39076ad62091622475baa816ca68e88f144253e42a9cdf42fe6473fa5

  • SHA512

    ecf4d3cc409654e17c9d1d4c142ce14ee52630a7715663049899e37a6528c65294e5df41bd3d567d8e4887375a700ca3916469a38ffe85dfada03cffac878d7e

  • SSDEEP

    98304:RK6MK+15ZA/wFkzThIeqpxRpJHXOAd2QNXZTIpKskI5XzCh6XcY2R9tR:RK6yZhkhI7pJH+MRhIgsJGh6XWRTR

Malware Config

Extracted

Family

webmonitor

C2

kamilw1337.wm01.to:443

Attributes
  • config_key

    a72oDI537AbYRjeItTOo34O25nOyaPFK

  • private_key

    MqUzv9esY

  • url_path

    /recv5.php

Targets

    • Target

      Extreme Injector v3.7.exe

    • Size

      365KB

    • MD5

      1250fbb9be09180d07d87d1abdc2b349

    • SHA1

      c58da16d2e16955498b083bf5d5a55a4cccf32fe

    • SHA256

      8979b90d56e060696bcd2f0e36f2c0a10c7ccab4114bfce1bb278bf25ecc2946

    • SHA512

      ffe323afa8b5ae6d574dff789dd2b42d0ce80581e47648425fc3b57873092f2ee38dcdb17e45e601803ffd4c806f38fcfaf5d785bbb8a1657f71fde980dcedb1

    • SSDEEP

      6144:cxLA03giVtLfLzHbklDubM1oFRgfHaSjcVfUpJqTyZp0KfgxcFmQoZgfHlgASbyz:cxLA4tLf37ktu2qg/aSjosL4Kfgo5oZ2

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Target

      Extreme Injector v3.exe

    • Size

      1.9MB

    • MD5

      ec801a7d4b72a288ec6c207bb9ff0131

    • SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

    • SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

    • SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

    • SSDEEP

      49152:NNEVtO1U1y1DDDDDD7Llngq7NNMqU0p2Vhk9a:NNEVJyZlng4p2V

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      xyoungsokin.dll

    • Size

      5.8MB

    • MD5

      e487e4dcb8fb3cafad7cd4e38d95ff25

    • SHA1

      c4fc0e7b24fe70a9b90812bb8ca8b642b717f0b2

    • SHA256

      7808e7aeda869ae43b63b897a1af451a45fb50ed9e28e43d3db33a49b8352da8

    • SHA512

      ba2a8fdd720a6f377658f0073f12e26527a18bf4496f2de7cbc64ed232ffa55a98067e501ca3237ac96e79fdac2892403386b415783d50367955cad5b85ae744

    • SSDEEP

      98304:4m4Y8mQ9tVQ+Pblvbby2rWFcr9E8DzsjPygCbEXsXhbWkfszn5N:sY8Pt6CBzwFG8jPnCbQspIznz

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks