General

  • Target

    cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118

  • Size

    811KB

  • Sample

    240831-1s2elaxeqa

  • MD5

    cdab5970c5e3d12116faceea2b0b7ed9

  • SHA1

    6b13121ed24e1952b8ceecab0a2cc95ed4182c41

  • SHA256

    8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8

  • SHA512

    21f0fa1eb0bdf5a200f2ecf9731f97f139884491f34f9088b3c54fbb529d7558763161e63ad19a50436479fbdcad49592455ef629fcb4f34b4a53e63a3c63a6b

  • SSDEEP

    12288:54P00EVz7GYFuzIuZrpG0NHlq4duP2oWC8V1xEZyQeURSx8sWDF:54M0KPGYA8uZ40NFqL2oWNV1xyyhYs0

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes
  • config_key

    ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4

  • private_key

    X2HBeL4iM

  • url_path

    /recv4.php

Targets

    • Target

      cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118

    • Size

      811KB

    • MD5

      cdab5970c5e3d12116faceea2b0b7ed9

    • SHA1

      6b13121ed24e1952b8ceecab0a2cc95ed4182c41

    • SHA256

      8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8

    • SHA512

      21f0fa1eb0bdf5a200f2ecf9731f97f139884491f34f9088b3c54fbb529d7558763161e63ad19a50436479fbdcad49592455ef629fcb4f34b4a53e63a3c63a6b

    • SSDEEP

      12288:54P00EVz7GYFuzIuZrpG0NHlq4duP2oWC8V1xEZyQeURSx8sWDF:54M0KPGYA8uZ40NFqL2oWNV1xyyhYs0

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor payload

    • Drops startup file

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks