webmonitor | 9b3e13d32754c9ef22703d119dd1f6d6c696e7b70c0ee8321dbc23aa9f7aecde

General

Target

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
Size

669KB
MD5

ad9f7de2681a1840052744584576195c
SHA1

2eb76d600e532e800a4339c27f50b7e084c72ab3
SHA256

9b3e13d32754c9ef22703d119dd1f6d6c696e7b70c0ee8321dbc23aa9f7aecde
SHA512

3c96f0f291ed9174f76677a3c77f60553f6654fae4464c02696afaf058398030d510953a7e65d4e716d3cbb2e86e4b9abe02e8f674a93fdb0e435ab6f98f4691
SSDEEP

12288:JWtA47mU+emU+s35pm2WSMWPNkotsHjmTIsR5aviD:J9EmU3mULppm7SXPNkUsDmQaD

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2500-35-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-38-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-36-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-39-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-40-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-41-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-42-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-43-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-45-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-47-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-48-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-50-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-52-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2500-53-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

Drops startup file 1 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZbdzFE.url	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2096-23-0x0000000000D40000-0x0000000000E29000-memory.dmp	upx
behavioral1/memory/2500-26-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-31-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-28-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-34-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-35-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-38-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-36-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-33-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-32-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-39-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-40-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-41-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-42-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-43-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-45-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-47-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-48-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-50-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-52-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2500-53-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	1.2.4.8
Destination IP	139.175.55.244
Destination IP	91.239.100.100
Destination IP	1.2.4.8
Destination IP	180.76.76.76
Destination IP	89.233.43.71
Destination IP	123.125.81.6
Destination IP	101.226.4.6
Destination IP	114.114.114.114
Destination IP	77.88.8.8

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description pid process target process

PID 2096 set thread context of 2500 2096 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

pid process

2096 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
2096 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2096 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description	pid	process	target process
PID 2096 set thread context of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe

pid	process
2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 2096 wrote to memory of 1420	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	csc.exe
PID 2096 wrote to memory of 1420	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	csc.exe
PID 2096 wrote to memory of 1420	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	csc.exe
PID 2096 wrote to memory of 1420	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	csc.exe
PID 1420 wrote to memory of 2700	1420	csc.exe	cvtres.exe
PID 1420 wrote to memory of 2700	1420	csc.exe	cvtres.exe
PID 1420 wrote to memory of 2700	1420	csc.exe	cvtres.exe
PID 1420 wrote to memory of 2700	1420	csc.exe	cvtres.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 2096 wrote to memory of 2500	2096	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad9f7de2681a1840052744584576195c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lvqnvzrt\lvqnvzrt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B9F.tmp" "c:\Users\Admin\AppData\Local\Temp\lvqnvzrt\CSCDDB49413119342E3BBA3EA4613DCE19C.TMP"
    3⤵
    PID:2700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B9F.tmp

Filesize
1KB

MD5
2f9c34af012e311332bfc37ac3c13a7a

SHA1
e6162cd2900394589af1e069f958de4532359bb7

SHA256
ec407bc898ea4fac77fc01dd167394cd02f2b4514799552f20f6db7ca012cc59

SHA512
ab1bef6dfb3147f6e0dbe946e5dccef54e1c72cf2d289c6d625fdccd6575d1598c9618eb916e41f841c31d2602a6c59daee59ade39e91554a5f3c68fb0ecfa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvqnvzrt\lvqnvzrt.dll

Filesize
17KB

MD5
95b80de26a7d12399ce50b41d5e0dd0b

SHA1
940c39ff251d99b95297cdf5de8b91613adddd7b

SHA256
61d8d60d7da633235d6ca3b4cf4e97c076d142412cbc21b156e9a9af64d19abe

SHA512
b5ae629add1143c8047b7ce2061a85ca7058a902abf6e65bc03ca011c7c1ba5eb3f408721d1ddd817b09576015dae699d7e95c895349be722088874429761d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvqnvzrt\lvqnvzrt.pdb

Filesize
53KB

MD5
6501398187253e345c280d08f0c425dd

SHA1
62f37de1546510e82fd9d17c9edc112639b57744

SHA256
c04500808082d2c6474cbcaa0f972fb939267a19647cbcc06fe1ebb23f3e9a0f

SHA512
b5d3071af75273166049629e9e83d3db47cb3794b06e2d34882a10d4a22ce9767667f576d7498a31cb0d21947c9a0d86e06d2615ca415d5a4a0967aa9a7276fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lvqnvzrt\CSCDDB49413119342E3BBA3EA4613DCE19C.TMP

Filesize
1KB

MD5
9daf532d1dc95e4b9d8f7862ae28083c

SHA1
cdd67af4ba3fa2c58b7d9b61c01ae132a6a9b1af

SHA256
1310a0663badaf5044168ac6df6d1b31099108f04fb972f29b78417962652ff8

SHA512
eb98a01224033b4a308c5c97d7a4217ca0a0ed74c2cc9ea2354201c6ed54995b11011ad667d46fc8e6cd48280eda4a4bd3e020e51c1284efea7e27ad2463c516

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lvqnvzrt\lvqnvzrt.0.cs

Filesize
36KB

MD5
4e4c1726cac876b5227ce625df5da104

SHA1
1bd318a9d9f3d8b2fe6ad95e839e900f00de850a

SHA256
dd763dfe5ed6f32cd89563e926911f4d1ff78f84332a062ef887c4f191c71073

SHA512
1f9f9c0a7da1d1e17a8bbb6e99d09020923ce3c5daeecec0565426ce8bc3f3705b005ecb7527fa3be8588c267c7d0c029b5105f01011e52ed5f4a5d721e01ea1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lvqnvzrt\lvqnvzrt.cmdline

Filesize
312B

MD5
21c13320463b1b1077c506b443b5c805

SHA1
7d7b93b929eebed6a52c8d8cdf3ed0504b8c50f2

SHA256
04e90fe23f2031ce5d9bd2093d8b654b80f19cc5ebab9b1cc57576d90b39f8ec

SHA512
16e6738258ba46180ee9ffd158b4a72356204eef8b0dbde92efba5c1eb08f0e2d55fa978810038489da21636cac08dc51076189750c2e65cbd2c14d6a856e63e

Download Submit
memory/2096-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2096-4-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2096-1-0x0000000001080000-0x000000000112E000-memory.dmp

Filesize
696KB

Download
memory/2096-17-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/2096-19-0x0000000004F10000-0x0000000004F78000-memory.dmp

Filesize
416KB

Download
memory/2096-20-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2096-23-0x0000000000D40000-0x0000000000E29000-memory.dmp

Filesize
932KB

Download
memory/2096-37-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-34-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-39-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-28-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-26-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-35-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-38-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-24-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-36-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-33-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-32-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-31-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-40-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-41-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-42-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-43-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-45-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-47-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-48-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-50-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-52-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2500-53-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads