| ID | X0023 |
| Type | Resource Exploitation |
| Aliases | None |
| Platforms | Windows |
| Year | 2018 |
| Associated ATT&CK Software | None |
WebCobra is cryptojacking malware. [1]
| Name | Use |
|---|---|
| Discovery::File and Directory Discovery (T1083) | The malware searches for various files and directories. [1] |
| Discovery::Query Registry (T1012) | The malware queries certain registry keys. [1] |
| Discovery::Process Discovery (T1057) | The malware identifies running processes on the system. [1] |
| Discovery::System Time Discovery (T1124) | The malware identifies the time/time zone on the system. [1] |
| Discovery::Software Discovery::Security Software Discovery (T1518.001) | The malware learns about security software on the system. [1] |
| Defense Evasion::Deobfuscate/Decode Files or Information (T1140) | The malware drops encrypted files and decrypts them on the system. [1] |
| Defense Evasion::Indicator Removal on Host::File Deletion (T1070.004) | The malware deletes files to evade detection. [1] |
| Name | Use |
|---|---|
| Discovery::System Information Discovery (E1082) | Malware learns about the system so it can drop compatible miner software. [1] |
| Execution::Command and Scripting Interpreter (E1059) | From the command line, the malware drops and unzips a password-protected Cabinet archive file. [1] |
| Defense Evasion::Obfuscated Files or Information (E1027) | The dropped file is password-protected. Once unzipped, the file contains a DLL file to decrypt the second file (a bin file with an encrypted malicious payload). [1] |
| Defense Evasion::Process Injection (E1055) | The malware injects miner code into a running process. [1] |
| Defense Evasion::Disable or Evade Security Tools (F0004) | Most security products hook some APIs to monitor the behavior of malware. To avoid being identified by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs. [1] |
| Name | Use |
|---|---|
| Execution::Install Additional Program (B0023) | The malware downloads and executes Claymore's Zcash miner from a remote server. [1] |
| Execution::Conditional Execution (B0025) | The malware executes differently depending on whether it's running on an x86 or x64 system. [1] |
| Impact::Resource Hijacking::Cryptojacking (B0018.002) | The malware drops software that mines for cryptocurrency, depending on the system architecture. If the system has x86 architecture, the malware drops Cryptonight miner. If the system has x64 architecture, the malware drops Claymore's Zcash miner. [1] |
| Anti-Behavioral Analysis::Dynamic Analysis Evasion::Alternative ntdll.dll (B0003.001) | The malware loads ntdll.dll and user32.dll as data files and overwrites the first 8 bytes of those functions to avoid API hooking by security products. [1] |
| Anti-Behavioral Analysis::Emulator Evasion::Extra Loops/Time Locks (B0005.004) | The malware evades emulator-based analysis by using an infinite loop to check all open windows and compare each window's title bar to a list of strings. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Check Windows - Title Bars (B0009.022) | WebCobra injects malicious code in to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with a set of strings to determine whether it is running in a VM. [1] |
| Discovery::Analysis Tool Discovery::Process Detection - PCAP Utilities (B0013.004) | When infecting a x64 architecture system, the malware terminates if Wireshark is running on the system. [1] |
SHA256 Hashes
- 5e14478931e31cf804e08a09e8dffd091db9abd684926792dbebea9b827c9f37
[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[2] https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojacking-on-the-rise-webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/#16f5542cc336