Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 20:03
Static task
static1
Behavioral task
behavioral1
Sample
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
8b9cccdb24eb9b20f9fd3119706f4471
-
SHA1
711e1172cd8783297d9a148a8a8c4743fbd6e89d
-
SHA256
3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50
-
SHA512
d69242390b6e30c749ba0274281555617ad0408310b26571e6cb7b18df8addf525c046092747ea5db8cd0c157f2acc64d500f2fcfc73a94a98b317960a5f6aa1
-
SSDEEP
49152:slwDTibTrn2+eWekrP90yVJNMfw45uWIXZkv8:slwD+jnnxekrP9zJWwyvEkk
Malware Config
Extracted
webmonitor
therealmatrixs.wm01.to:443
-
config_key
Pqe2NRmv6q77pu6rspeYtwpwbbWkEwWt
-
private_key
TWF2E2Jad
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4876-2-0x0000000000400000-0x000000000095F000-memory.dmp family_webmonitor -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine 8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exepid process 4876 8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exepid process 4876 8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe 4876 8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8b9cccdb24eb9b20f9fd3119706f4471_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4876