webcobra.md

ID	X0023
Aliases
Platforms	Windows
Year	2018
Associated ATT&CK Software	None

WebCobra

Cryptojacking malware. [1]

Behaviors

Name	Use
File and Directory Discovery	[1]
Query Registry	[1]
System Information Discovery	Learns about the system so it can drop compatible miner software. [1]
Process Discovery	[1]
System Time Discovery	[1]
Software Discovery::Security Software Discovery	Learns about security software. [1]
Command and Scripting Interpreter	From the command line, drops and unzips a password-protected Cabinet archive file. [1]
Install Additional Program	Downloads and executes Claymore's Zcash miner from a remote server. [1]
Conditional Execution	Executes differently depending on whether it's running on an x86 or x64 system. [1]
Resource Hijacking	Drops software that mines for cryptocurrency: Cryptonight or Claymore's Zcash miner, depending on system architecture. [1]
Dynamic Analysis Evasion	[1]
Emulator Evasion	[1]
Virtual Machine Detection	WebCobra injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with a set of strings to determine whether it is running in an isolated, malware analysis environment. [1]
Deobfuscate/Decode Files or Information	[1]
Obfuscated Files or Information	[1]
Indicator Removal on Host::File Deletion	[1]
Process Injection	Injects miner code into a running process.
Disable or Evade Security Tools	Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs. [1]

References

[1] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/

[2] https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojacking-on-the-rise-webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/#16f5542cc336