webmonitor | 8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8

General

Target

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
Size

811KB
MD5

cdab5970c5e3d12116faceea2b0b7ed9
SHA1

6b13121ed24e1952b8ceecab0a2cc95ed4182c41
SHA256

8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8
SHA512

21f0fa1eb0bdf5a200f2ecf9731f97f139884491f34f9088b3c54fbb529d7558763161e63ad19a50436479fbdcad49592455ef629fcb4f34b4a53e63a3c63a6b
SSDEEP

12288:54P00EVz7GYFuzIuZrpG0NHlq4duP2oWC8V1xEZyQeURSx8sWDF:54M0KPGYA8uZ40NFqL2oWNV1xyyhYs0

Score

10^/10

webmonitor backdoor discovery infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4052-30-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-31-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-33-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-35-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-36-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-38-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-39-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-40-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-41-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-42-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-43-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-44-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-46-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4052-47-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

Drops startup file 1 IoCs

Processes:

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DFMzhX.url	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3196-24-0x0000000005A90000-0x0000000005B79000-memory.dmp	upx
behavioral2/memory/4052-26-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-28-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-29-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-30-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-31-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-33-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-35-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-36-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-38-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-39-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-40-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-41-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-42-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-43-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-44-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-46-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4052-47-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Unexpected DNS network traffic destination 15 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	77.88.8.8
Destination IP	180.76.76.76
Destination IP	89.233.43.71
Destination IP	114.114.114.114
Destination IP	123.125.81.6
Destination IP	139.175.55.244
Destination IP	101.226.4.6
Destination IP	180.76.76.76
Destination IP	77.88.8.8
Destination IP	114.114.114.114
Destination IP	101.226.4.6
Destination IP	1.2.4.8
Destination IP	123.125.81.6
Destination IP	1.2.4.8
Destination IP	91.239.100.100

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

description pid process target process

PID 3196 set thread context of 4052 3196 cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe vbc.exe

description	pid	process	target process
PID 3196 set thread context of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

pid process

3196 cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
3196 cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3196 cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

pid	process
3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 3196 wrote to memory of 3612	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	csc.exe
PID 3196 wrote to memory of 3612	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	csc.exe
PID 3196 wrote to memory of 3612	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	csc.exe
PID 3612 wrote to memory of 320	3612	csc.exe	cvtres.exe
PID 3612 wrote to memory of 320	3612	csc.exe	cvtres.exe
PID 3612 wrote to memory of 320	3612	csc.exe	cvtres.exe
PID 3196 wrote to memory of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe
PID 3196 wrote to memory of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe
PID 3196 wrote to memory of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe
PID 3196 wrote to memory of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe
PID 3196 wrote to memory of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe
PID 3196 wrote to memory of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe
PID 3196 wrote to memory of 4052	3196	cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oju5c4vv\oju5c4vv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95E7.tmp" "c:\Users\Admin\AppData\Local\Temp\oju5c4vv\CSC9BC867EC41BA425E9965A9D14B2BA3E8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES95E7.tmp

Filesize
1KB

MD5
64bb593a1fb555d6f1d3f0e3c6f258bc

SHA1
83d35a9e5c76fbf65d26427dad001ca531671cda

SHA256
d6a665d9cbc693f7109f388e0943b85c4345902b4a8b7ffcdc3e9855fdd7a03d

SHA512
01e0fd2525b3543aa751ad38a6adea13967f2e7dd9cf6a5845fa64ec8119adb07f96774d8442fb2511233d7b007560dc744f77516bd76e033f0e5f40075c8e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oju5c4vv\oju5c4vv.dll

Filesize
18KB

MD5
73e42253b70b33510638338563429551

SHA1
e1f4db4f01e64f3ca927c208a8eb99bae6609ef7

SHA256
f16f6ffc9d5254e6050e50ac3321053764da12712f60732efedefbb5f8a0d433

SHA512
7c38733cde887b77c53d0be0243a22c5a3e27dda94fd03c28b66595f832b07664924efacce90fed479eab33eb454c0cff5e6dd0bcf090081d397f8a0a35d9ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oju5c4vv\oju5c4vv.pdb

Filesize
61KB

MD5
bbfd7587b4d76f744ae626cf97781ad8

SHA1
d1d73b02ca830caa92d5eec8bff53443e11f1cd9

SHA256
741a193e326ab1de16bbd94c49d52af64696c177a95d9c45d8086dc99955d8bf

SHA512
5a4c1c276c7171720228fd0e8bb972754f459c6dc4af6bb76029d01098956b6fcaff8d32d6f58e9bf028d54539cdf218b0684e7109a3f0df7b338a0b46d7a0b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oju5c4vv\CSC9BC867EC41BA425E9965A9D14B2BA3E8.TMP

Filesize
1KB

MD5
21c14e9323832dd7640b7d51ad4459de

SHA1
f553c52c5100e5d2dd8c3de87dab5ab9ab7e1b8d

SHA256
21adb7b229ee2804c245f9fb5da18f5780488beae03f13c0deb6344bedffc3d8

SHA512
9cc72cb58c54407536e94d2dadcc70ff6ef2193122d81e2863453bb85046f914b3269e2324477151cebe507a775148c2f54718ef4434fa87208241c1cfc8e0dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oju5c4vv\oju5c4vv.0.cs

Filesize
40KB

MD5
33f0461f62e4361b26284b020607ae9f

SHA1
401c349823a5b5dded9d33efde3049802173ed0f

SHA256
7070aa974294f183da6481efcbecbbceac23449c5357bc935ce1aaba6069b829

SHA512
c9f5511ac0652d230c1e1309cea2bd968405fc90e3f552438cf2a85902ec301a03111c630e9bc7caa100cec5e2b129e5cab14849726f29875f3edba45297fd03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oju5c4vv\oju5c4vv.cmdline

Filesize
312B

MD5
8211c32a3642b32f24ae45f131ade815

SHA1
d069a6688c5785835d99682f66fc1e8dff976456

SHA256
12a0d16500963518abc4a365ca85ca6112b4df44c3dd6592154e964f4615f81b

SHA512
6b5c6cf1b81fc874b015df673383d8da70e978c0debd304919b885a7e0f508174b3c6e0f5ee79697579ec771e2fd73c1f6a973c6ece65c64f4ff23105948bf03

Download Submit
memory/3196-0-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/3196-5-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/3196-1-0x0000000000A00000-0x0000000000ABA000-memory.dmp

Filesize
744KB

Download
memory/3196-17-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/3196-19-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/3196-20-0x00000000055F0000-0x0000000005658000-memory.dmp

Filesize
416KB

Download
memory/3196-21-0x0000000005500000-0x000000000550C000-memory.dmp

Filesize
48KB

Download
memory/3196-24-0x0000000005A90000-0x0000000005B79000-memory.dmp

Filesize
932KB

Download
memory/3196-25-0x0000000005D40000-0x0000000005DDC000-memory.dmp

Filesize
624KB

Download
memory/3196-32-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/4052-28-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-39-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-30-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-31-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-26-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-33-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-35-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-36-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-38-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-29-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-40-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-41-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-42-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-43-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-44-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-46-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4052-47-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads