webmonitor | 8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8

General

Target

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
Size

811KB
MD5

cdab5970c5e3d12116faceea2b0b7ed9
SHA1

6b13121ed24e1952b8ceecab0a2cc95ed4182c41
SHA256

8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8
SHA512

21f0fa1eb0bdf5a200f2ecf9731f97f139884491f34f9088b3c54fbb529d7558763161e63ad19a50436479fbdcad49592455ef629fcb4f34b4a53e63a3c63a6b
SSDEEP

12288:54P00EVz7GYFuzIuZrpG0NHlq4duP2oWC8V1xEZyQeURSx8sWDF:54M0KPGYA8uZ40NFqL2oWNV1xyyhYs0

Score

10^/10

webmonitor backdoor discovery infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 11 IoCs

resource	yara_rule
behavioral1/memory/2688-35-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-34-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-36-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-38-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-39-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-41-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-43-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-45-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-46-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-48-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/2688-50-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DFMzhX.url	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1848-23-0x00000000020B0000-0x0000000002199000-memory.dmp	upx
behavioral1/memory/2688-29-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-32-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-26-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-25-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-31-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-35-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-34-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-36-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-38-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-39-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-41-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-43-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-45-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-46-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-48-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/2688-50-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	77.88.8.8
Destination IP	89.233.43.71
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	123.125.81.6
Destination IP	91.239.100.100
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	101.226.4.6
Destination IP	139.175.55.244

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2884	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2884	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2884	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2884	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2360	2884	csc.exe	32
PID 2884 wrote to memory of 2360	2884	csc.exe	32
PID 2884 wrote to memory of 2360	2884	csc.exe	32
PID 2884 wrote to memory of 2360	2884	csc.exe	32
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33
PID 1848 wrote to memory of 2688	1848	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\314r5n4e\314r5n4e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9675.tmp" "c:\Users\Admin\AppData\Local\Temp\314r5n4e\CSCADE1F0F99FBE4076B4B554BC61D9582B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\314r5n4e\314r5n4e.dll

Filesize
18KB

MD5
f14181e60ede72461f07e45c096dff14

SHA1
cca1881bb30e5661d433c695c0d7e71c12d5b5fe

SHA256
fe6b51861eb4db3a6b5ef36294f9d2ad36bf4c4e282769a06d34c883e56090bd

SHA512
c2c724d3f2d4d7b9827a0f093353b3d40b4d67ed0c17a5ba5420f584b092a97a73e2683340742fc7a9ab49c44674ded98f31ac8549a7286948a03bd6d1cad0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\314r5n4e\314r5n4e.pdb

Filesize
61KB

MD5
7d74113024c3dce82b7260b68d17bec2

SHA1
9d917a93452dd8219eb3263d195824212a06e54e

SHA256
1b4dd4e7bb8a079c2766221e9dc45746ce6da4d5dccb86092aa084a0a3fabb93

SHA512
bcf03b4b8b0db669533cdf2e953d67e518ff0954b60427465cbe57964ad1c8ecf8a92f82717fea2f45a32c960fdc78d5f26ab98f6f811a9ab61b67f05e56f7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9675.tmp

Filesize
1KB

MD5
8b43d2f0a4982e364443aa826ba194d3

SHA1
110a11c65c2dc3c53a1ddfc1b479e1f2d36625c3

SHA256
0962784b38c1afdc961ee2370d0582c3a62bd90b935a32bc518d6bf2c199bfbf

SHA512
3b550ed61c3ee8c31b86c4c014655ddf8824de4a6c1bfeac8a771d2495de5efd68129327b9bbd1e3c2500a3e69a33d17df69abe33602376e47a276ea8874d8b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\314r5n4e\314r5n4e.0.cs

Filesize
40KB

MD5
33f0461f62e4361b26284b020607ae9f

SHA1
401c349823a5b5dded9d33efde3049802173ed0f

SHA256
7070aa974294f183da6481efcbecbbceac23449c5357bc935ce1aaba6069b829

SHA512
c9f5511ac0652d230c1e1309cea2bd968405fc90e3f552438cf2a85902ec301a03111c630e9bc7caa100cec5e2b129e5cab14849726f29875f3edba45297fd03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\314r5n4e\314r5n4e.cmdline

Filesize
312B

MD5
f5d5772f298fd347bd806fed3ed11d49

SHA1
bc9b2438b3e4ae7fc960d708d528f1b6809ec204

SHA256
7bd1ecf84e741fa1eac256804657373403831b9c826d67f445c11b14aa5220c1

SHA512
27ea7f2057e23bc76c686c2d6d5a14a9e4aed4df9abdd9297020e269df356aaf4f89a31c5d0fb9e008efe814057aa3726c975d4182688b5867e0103112ddb1db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\314r5n4e\CSCADE1F0F99FBE4076B4B554BC61D9582B.TMP

Filesize
1KB

MD5
93b26ff1fe237937ef16797f900c7eb8

SHA1
952445431500dfc27463f0ee0a6156c719eeecac

SHA256
c4a890b17b5ef7746dd944c85d5d11ec247102b0d1fa19b22da73ef38e82ccd0

SHA512
47d68295a8115a3191578ff08b246ef296b90aa6bf7fe2fd16c6ab8f6fb8352359d39961b54517afc158492b5b65e26fc3e687a8fe9d7cddcf9a9ab80f122571

Download Submit
memory/1848-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/1848-4-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-17-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/1848-1-0x0000000000990000-0x0000000000A4A000-memory.dmp

Filesize
744KB

Download
memory/1848-20-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/1848-19-0x0000000002040000-0x00000000020A8000-memory.dmp

Filesize
416KB

Download
memory/1848-23-0x00000000020B0000-0x0000000002199000-memory.dmp

Filesize
932KB

Download
memory/1848-33-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-24-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-36-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-32-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-25-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-31-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-35-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-34-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-29-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-26-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-38-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-39-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-41-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-43-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-45-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-46-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-48-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2688-50-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing