webmonitor | 3a161baa6ade1fd9b3430a4a828956473e7c91f6d9e05a448452136d99095aac

General

Target

df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe
Size

694KB
MD5

df280dda64ba0e93d9e80779eb9b2491
SHA1

30cb99df159bb60b3a9356b0f626deb0c95d56e1
SHA256

3a161baa6ade1fd9b3430a4a828956473e7c91f6d9e05a448452136d99095aac
SHA512

c48c57d07025b2342dedc715d35b3b7e3ccf4e3f3abafc81469c0c217c0f7df1b1d3a940ab8a98a1152b6edd2dcd4ae94f83d118467d92a69d26e66cf6e063fa
SSDEEP

12288:3LCwk7wqtnzX57EMgGMr+k0di2qP2WeR3PYeXuQViooshf:3LCwk7wqxx7JUvPxuPxuwHLh

Score

10^/10

webmonitor backdoor discovery infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

vit0x.wm01.to:443

Attributes

config_key
sfh0MavnyDfXzTlYYGRziPhnyIYnjr6k
private_key
pjaH84P73
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4420-7-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4420-8-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4420-14-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4420-3-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4420-6-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4420-4-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4420-7-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4420-8-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4420-14-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe

description pid process target process

PID 552 set thread context of 4420 552 df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe RegSvcs.exe

description	pid	process	target process
PID 552 set thread context of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exeRegSvcs.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeShutdownPrivilege 4420 RegSvcs.exe
Token: SeCreatePagefilePrivilege 4420 RegSvcs.exe

description	pid	process
Token: SeShutdownPrivilege	4420	RegSvcs.exe
Token: SeCreatePagefilePrivilege	4420	RegSvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exeRegSvcs.exe

description	pid	process	target process
PID 552 wrote to memory of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe
PID 552 wrote to memory of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe
PID 552 wrote to memory of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe
PID 552 wrote to memory of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe
PID 552 wrote to memory of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe
PID 552 wrote to memory of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe
PID 552 wrote to memory of 4420	552	df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe	RegSvcs.exe
PID 4420 wrote to memory of 4780	4420	RegSvcs.exe	cmd.exe
PID 4420 wrote to memory of 4780	4420	RegSvcs.exe	cmd.exe
PID 4420 wrote to memory of 4780	4420	RegSvcs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df280dda64ba0e93d9e80779eb9b2491_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWpY6cyQp2PMnhl0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zWpY6cyQp2PMnhl0.bat

Filesize
204B

MD5
50c345d218035c1b43ab7262ff83b68c

SHA1
35dbc0fb985e7781af86bf20370141643749d6fb

SHA256
f28d3772598cca93dc3e05217699df3538f0b60f4c176d10c2f85f372b95765b

SHA512
b227d1ab12346976a4f0103d23d017c73b068c122a909ad6e5d00b1d3d8f37461ba3497528f9ff77f82283dafe7895f9ca7874b2ae10c38725325ca2a9dab311

Download Submit
memory/552-0-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/552-1-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/552-2-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/552-9-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4420-3-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4420-6-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4420-4-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4420-7-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4420-8-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4420-14-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads