webmonitor | 9b3e13d32754c9ef22703d119dd1f6d6c696e7b70c0ee8321dbc23aa9f7aecde

General

Target

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
Size

669KB
MD5

ad9f7de2681a1840052744584576195c
SHA1

2eb76d600e532e800a4339c27f50b7e084c72ab3
SHA256

9b3e13d32754c9ef22703d119dd1f6d6c696e7b70c0ee8321dbc23aa9f7aecde
SHA512

3c96f0f291ed9174f76677a3c77f60553f6654fae4464c02696afaf058398030d510953a7e65d4e716d3cbb2e86e4b9abe02e8f674a93fdb0e435ab6f98f4691
SSDEEP

12288:JWtA47mU+emU+s35pm2WSMWPNkotsHjmTIsR5aviD:J9EmU3mULppm7SXPNkUsDmQaD

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2376-33-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-31-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-34-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-36-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-37-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-38-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-40-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-41-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-42-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-44-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-45-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/2376-46-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

Drops startup file 1 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZbdzFE.url	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4312-24-0x00000000057C0000-0x00000000058A9000-memory.dmp	upx
behavioral2/memory/2376-29-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-30-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-33-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-31-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-26-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-34-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-36-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-37-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-38-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-40-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-41-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-42-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-44-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-45-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2376-46-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	91.239.100.100
Destination IP	123.125.81.6
Destination IP	101.226.4.6
Destination IP	180.76.76.76
Destination IP	139.175.55.244
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	77.88.8.8
Destination IP	89.233.43.71
Destination IP	1.2.4.8

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description pid process target process

PID 4312 set thread context of 2376 4312 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

pid process

4312 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
4312 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 4312 ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description	pid	process	target process
PID 4312 set thread context of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe

pid	process
4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ad9f7de2681a1840052744584576195c_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 4312 wrote to memory of 3568	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	csc.exe
PID 4312 wrote to memory of 3568	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	csc.exe
PID 4312 wrote to memory of 3568	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	csc.exe
PID 3568 wrote to memory of 2840	3568	csc.exe	cvtres.exe
PID 3568 wrote to memory of 2840	3568	csc.exe	cvtres.exe
PID 3568 wrote to memory of 2840	3568	csc.exe	cvtres.exe
PID 4312 wrote to memory of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 4312 wrote to memory of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 4312 wrote to memory of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 4312 wrote to memory of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 4312 wrote to memory of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 4312 wrote to memory of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe
PID 4312 wrote to memory of 2376	4312	ad9f7de2681a1840052744584576195c_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ad9f7de2681a1840052744584576195c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad9f7de2681a1840052744584576195c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nu1tistz\nu1tistz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4229.tmp" "c:\Users\Admin\AppData\Local\Temp\nu1tistz\CSC36BAF6589AA5418C8A7C2B47AA90ED38.TMP"
    3⤵
    PID:2840
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4229.tmp

Filesize
1KB

MD5
223503407a1388104defcb24bf08b1d9

SHA1
47286d7a4a498b265fc2faf2afd8fa92ca3912f5

SHA256
7327699729cb91383c959de7173a39360b52a1c176aad43851d6f84003b899c5

SHA512
c0abad0b5855890ebbd145ee50e37e7ae7660b1b1af41ea4bc77d44c766bd7b456cbfbadf84b3485b28f668d8cdb5008dd82d9240a36ac5e51a8a9c09720ff05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nu1tistz\nu1tistz.dll

Filesize
17KB

MD5
cb781abe3cca0cb20da6c84ea55f69de

SHA1
1b445b79ac445bdbef06ed6c4fdd380fb2110ba4

SHA256
0f61f3e25f3411982eb0dc0cfb2f7e6df83e6556c40cded9551552a0109eaa45

SHA512
d4e571ab717c469a40f45863b03fcaac913ec351a3dd1f1277d4bdd64910a73681756b73c181b7dd153b2f8298f9bc247d43cdc06ef8b53d7c7a9d9c830f963b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nu1tistz\nu1tistz.pdb

Filesize
53KB

MD5
d5a1a8de4996ac4e85c8b1c6cc2f1d36

SHA1
1448b7c8d5c72afd49588341885a3ba9301f33aa

SHA256
3e8b33a33a5cf83e49f2d2b31ab07fe2c49de9218e0275166fe7cd3be7deacba

SHA512
01db7911712c8b7f53994a7854d4d160693b6a830be9880e0f77e3dec6879f56a7d9936a72e549fd192711593db0df19149d1733f9c1ab58c0b8631afdf3d14d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nu1tistz\CSC36BAF6589AA5418C8A7C2B47AA90ED38.TMP

Filesize
1KB

MD5
9135fbefbbc5d092fec56ca80b0c645f

SHA1
e32a2e9ef0a50163a4073a34013adacc7d7a0b53

SHA256
3b1362d0a1c26a36b7b434f3de076aa3ffe5a70db0cb73c68ecc2f1de2a22af0

SHA512
b0770ad2ad82884d4eea763c307bc9ced6e648ab7550277ccfac749b2e1ed9a69bc917120a4cb36ccf5d5ab155cc4a2dcb56fc8688fda853153c0593be38a50c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nu1tistz\nu1tistz.0.cs

Filesize
36KB

MD5
4e4c1726cac876b5227ce625df5da104

SHA1
1bd318a9d9f3d8b2fe6ad95e839e900f00de850a

SHA256
dd763dfe5ed6f32cd89563e926911f4d1ff78f84332a062ef887c4f191c71073

SHA512
1f9f9c0a7da1d1e17a8bbb6e99d09020923ce3c5daeecec0565426ce8bc3f3705b005ecb7527fa3be8588c267c7d0c029b5105f01011e52ed5f4a5d721e01ea1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nu1tistz\nu1tistz.cmdline

Filesize
312B

MD5
f3d17a322acdcf03ed85be8285d4ce13

SHA1
a044c0d97b763c0c998dfcc1a6e663a872d71df7

SHA256
875365bbab3ed23ef3d907a7ebcff398104c045109e63280857f5e21dd0b0cef

SHA512
3771141f0ab542cb1db16e38e1db8fcb6def83f9a1e11d9721a98ab6d16d2977616a38a8d01c27ef00251e1067dcb14118fa7863a860a796a338174b81388b25

Download Submit
memory/2376-34-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-40-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-46-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-45-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-44-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-42-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-41-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-38-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-37-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-29-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-30-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-36-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-33-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-31-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2376-26-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4312-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/4312-32-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4312-25-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/4312-24-0x00000000057C0000-0x00000000058A9000-memory.dmp

Filesize
932KB

Download
memory/4312-5-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4312-21-0x00000000051C0000-0x00000000051CC000-memory.dmp

Filesize
48KB

Download
memory/4312-20-0x0000000005750000-0x00000000057B8000-memory.dmp

Filesize
416KB

Download
memory/4312-19-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/4312-17-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/4312-1-0x0000000000770000-0x000000000081E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads