Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 23:33
Behavioral task
behavioral1
Sample
8e0ab24cc57b4e79508530cc67d25760_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8e0ab24cc57b4e79508530cc67d25760_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8e0ab24cc57b4e79508530cc67d25760_JaffaCakes118.exe
-
Size
713KB
-
MD5
8e0ab24cc57b4e79508530cc67d25760
-
SHA1
130f6ea476483729c4b498c0145a0f5dac52d0ef
-
SHA256
b87d9fe46b6fd58afe41a2e8919907e1a94f5439e89aba6dfa9b27c890cfaaec
-
SHA512
290dca4dc943b6ad0aa0a74af0574dd11de9d757749b0593782dff48321f557ea866de7436e35cd7e5078a3cf6d24daddedad54113a096b5c6eb925f3ad2d789
-
SSDEEP
12288:Mk+CItZfMhWTkyQzU+4dt6iNr9cBVX6nLFYn85Sd4dsgiXi5dQgWiE/M:Mk6Ghz9UJt/NrGBUnLT5ddsgwi7qiEE
Malware Config
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 8 IoCs
resource yara_rule behavioral2/memory/3776-2-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/3776-6-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/3776-7-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/3776-9-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/3776-10-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/3776-12-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/3776-15-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/3776-17-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor -
Webmonitor family
-
Unexpected DNS network traffic destination 14 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 185.141.152.26 Destination IP 114.114.114.114 Destination IP 1.2.4.8 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 185.141.152.26 -
resource yara_rule behavioral2/memory/3776-0-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-2-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-6-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-7-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-9-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-10-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-12-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-15-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/3776-17-0x0000000000400000-0x00000000005F7000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e0ab24cc57b4e79508530cc67d25760_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3776 8e0ab24cc57b4e79508530cc67d25760_JaffaCakes118.exe Token: SeShutdownPrivilege 3776 8e0ab24cc57b4e79508530cc67d25760_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3776 8e0ab24cc57b4e79508530cc67d25760_JaffaCakes118.exe