Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe
-
Size
17.2MB
-
MD5
ee9a4ee14382824e759636426db0aa6f
-
SHA1
5ff8faa6df6c1ef352d4938be39a97092dd1c7c7
-
SHA256
48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876
-
SHA512
4c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656
-
SSDEEP
393216:8oiraP3TibAcVABUY/7+VRzBST8yYnnqop7sD4p6noceRC:8LaP3zcNYERzBSTOnnqO7sDI6B
Malware Config
Extracted
webmonitor
worldbala.wm01.to:443
-
config_key
1vt5MKV6CcJnGWsNVlYXmKcidNN2mBKt
-
private_key
NcwyDvFB8
-
url_path
/recv4.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 2 IoCs
resource yara_rule behavioral2/memory/1728-28-0x0000000000400000-0x00000000004BE000-memory.dmp family_webmonitor behavioral2/memory/1728-30-0x0000000000400000-0x00000000004BE000-memory.dmp family_webmonitor -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation GfnWebBrowser.exe -
Executes dropped EXE 1 IoCs
pid Process 5072 GfnWebBrowser.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.141.152.26 Destination IP 185.141.152.26 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GfnWebBrowser = "C:\\Users\\Admin\\AppData\\Roaming\\GfnWebBrowser.exe -boot" GfnWebBrowser.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5072 set thread context of 1728 5072 GfnWebBrowser.exe 106 -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GfnWebBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NTFS ADS 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe\:Zone.Identifier:$DATA cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe Token: SeDebugPrivilege 5072 GfnWebBrowser.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 968 wrote to memory of 3020 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 89 PID 968 wrote to memory of 3020 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 89 PID 968 wrote to memory of 3020 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 89 PID 968 wrote to memory of 4716 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 91 PID 968 wrote to memory of 4716 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 91 PID 968 wrote to memory of 4716 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 91 PID 968 wrote to memory of 4484 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 93 PID 968 wrote to memory of 4484 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 93 PID 968 wrote to memory of 4484 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 93 PID 968 wrote to memory of 2636 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 97 PID 968 wrote to memory of 2636 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 97 PID 968 wrote to memory of 2636 968 ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe 97 PID 2636 wrote to memory of 5072 2636 cmd.exe 99 PID 2636 wrote to memory of 5072 2636 cmd.exe 99 PID 2636 wrote to memory of 5072 2636 cmd.exe 99 PID 5072 wrote to memory of 4732 5072 GfnWebBrowser.exe 100 PID 5072 wrote to memory of 4732 5072 GfnWebBrowser.exe 100 PID 5072 wrote to memory of 4732 5072 GfnWebBrowser.exe 100 PID 5072 wrote to memory of 3132 5072 GfnWebBrowser.exe 102 PID 5072 wrote to memory of 3132 5072 GfnWebBrowser.exe 102 PID 5072 wrote to memory of 3132 5072 GfnWebBrowser.exe 102 PID 5072 wrote to memory of 2520 5072 GfnWebBrowser.exe 104 PID 5072 wrote to memory of 2520 5072 GfnWebBrowser.exe 104 PID 5072 wrote to memory of 2520 5072 GfnWebBrowser.exe 104 PID 5072 wrote to memory of 3420 5072 GfnWebBrowser.exe 105 PID 5072 wrote to memory of 3420 5072 GfnWebBrowser.exe 105 PID 5072 wrote to memory of 3420 5072 GfnWebBrowser.exe 105 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106 PID 5072 wrote to memory of 1728 5072 GfnWebBrowser.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe:Zone.Identifier"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3020
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe:Zone.Identifier"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4716
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\ee9a4ee14382824e759636426db0aa6f_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe"2⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4484
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe"C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier"4⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier"4⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.2MB
MD5ee9a4ee14382824e759636426db0aa6f
SHA15ff8faa6df6c1ef352d4938be39a97092dd1c7c7
SHA25648d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876
SHA5124c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656