Overview

overview

10

Static

static

3

JaffaCakes...ce.exe

windows7-x64

10

JaffaCakes...ce.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_671abad82fb56ab716e9e0ffbca116ce

  • Size

    1.8MB

  • Sample

    250107-rb96qswldj

  • MD5

    671abad82fb56ab716e9e0ffbca116ce

  • SHA1

    3707df01e839d5b67604debfbc762011593eb822

  • SHA256

    00d778b5fc11785ec2e51beb292a872a790a54a48889558ca64f03d8e9a1a6fd

  • SHA512

    c0d560081734ade5adcc32d401a014b53410270e1a8e97065bf2c04decdeece555762b6834dd20366aa4b75586a6dcdb6616f7b004d8ff429f3681d862bc2bdf

  • SSDEEP

    49152:CG6rYHQQFDut9t96xHVur1h63EuHenNMZ+Kzi:q8HQSosHM63EEWNMvzi

Score
10/10
webmonitorbackdoordefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratupx

Malware Config

Targets

    • Target

      JaffaCakes118_671abad82fb56ab716e9e0ffbca116ce

    • Size

      1.8MB

    • MD5

      671abad82fb56ab716e9e0ffbca116ce

    • SHA1

      3707df01e839d5b67604debfbc762011593eb822

    • SHA256

      00d778b5fc11785ec2e51beb292a872a790a54a48889558ca64f03d8e9a1a6fd

    • SHA512

      c0d560081734ade5adcc32d401a014b53410270e1a8e97065bf2c04decdeece555762b6834dd20366aa4b75586a6dcdb6616f7b004d8ff429f3681d862bc2bdf

    • SSDEEP

      49152:CG6rYHQQFDut9t96xHVur1h63EuHenNMZ+Kzi:q8HQSosHM63EEWNMvzi

    Score
    10/10
    webmonitorbackdoordefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratupxevasion

    • Modifies WinLogon for persistence

      persistence

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

      backdoorratinfostealerwebmonitor

    • WebMonitor payload

    • Webmonitor family

      webmonitor

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

1
T1562

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks