Skip to content

Latest commit

 

History

History
72 lines (55 loc) · 3.75 KB

webcobra.md

File metadata and controls

72 lines (55 loc) · 3.75 KB
ID X0023
Aliases None
Platforms Windows
Year 2018
Associated ATT&CK Software None

WebCobra

Cryptojacking malware. [1]

ATT&CK Techniques

Name Use
Discovery::Process Discovery (T1057) [1]
Discovery::System Time Discovery (T1124) [1]
Discovery::Software Discovery::Security Software Discovery (T1518.001) Learns about security software. [1]
Defense Evasion::Deobfuscate/Decode Files or Information (T1140) [1]
Defense Evasion::Indicator Removal on Host::File Deletion (T1070.004) [1]

Enhanced ATT&CK Techniques

Name Use
Discovery::System Information Discovery (E1082) Learns about the system so it can drop compatible miner software. [1]
Execution::Command and Scripting Interpreter (E1059) From the command line, drops and unzips a password-protected Cabinet archive file. [1]
Defense Evasion::Obfuscated Files or Information (E1027) Obfuscates files. [1]
Defense Evasion::Process Injection (E1055) Injects miner code into a running process. [1]
Defense Evasion::Disable or Evade Security Tools (F0004) Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs. [1]

MBC Behaviors

Name Use
Execution::Install Additional Program (B0023) Downloads and executes Claymore's Zcash miner from a remote server. [1]
Execution::Conditional Execution (B0025) Executes differently depending on whether it's running on an x86 or x64 system. [1]
Impact::Resource Hijacking (B0018) Drops software that mines for cryptocurrency: Cryptonight or Claymore's Zcash miner, depending on system architecture. [1]
Anti-Behavioral Analysis::Dynamic Analysis Evasion (B0003) Evades dynamic analysis. [1]
Anti-Behavioral Analysis::Emulator Evasion (B0005) Evades emulator-based analysis. [1]
Anti-Behavioral Analysis::Virtual Machine Detection (B0009) WebCobra injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with a set of strings to determine whether it is running in an isolated, malware analysis environment. [1]

Indicators of Compromise

SHA256 Hashes

  • 5e14478931e31cf804e08a09e8dffd091db9abd684926792dbebea9b827c9f37

References

[1] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/

[2] https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojacking-on-the-rise-webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/#16f5542cc336