83b6b4e3f30ddc24d66d37f64335dd12ee12eb24935e179a710d7f536805d16d

General

Target

8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
Size

462KB
MD5

8a284fb08c14c389e222e728e6804724
SHA1

e0cfb0068e1f10aeda8fe0aae9e33dc19e694989
SHA256

83b6b4e3f30ddc24d66d37f64335dd12ee12eb24935e179a710d7f536805d16d
SHA512

bc85af3b95722d2231497b930f30f808c0411ce0611ec05921dd1fa9f38b049335ac5b8ae20517f639a521ce71db2cadab613d713b6f5211169ab803e13fff43
SSDEEP

12288:lAkrESVsFVbCktrHr/QEoK32eUDWgy0VVl:lbZVs3rdHb0eWW8VVl

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2180	wmsdk64_32.exe
2720	wscsvc32.exe

Loads dropped DLL 5 IoCs

pid	Process
1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmsdk64_32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmsdk64_32.exe"	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsdk64_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscsvc32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	wscsvc32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe
2180	wmsdk64_32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2720	wscsvc32.exe
2720	wscsvc32.exe
2720	wscsvc32.exe
2720	wscsvc32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2180	1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2180	1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2180	1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2180	1940	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2720	2180	wmsdk64_32.exe	32
PID 2180 wrote to memory of 2720	2180	wmsdk64_32.exe	32
PID 2180 wrote to memory of 2720	2180	wmsdk64_32.exe	32
PID 2180 wrote to memory of 2720	2180	wmsdk64_32.exe	32

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wmsdk64_32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wmsdk64_32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscsvc32.exe

C:\Users\Admin\AppData\Local\Temp\8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a284fb08c14c389e222e728e6804724_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1940
- C:\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe
  "C:\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe
    C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe

Filesize
299KB

MD5
e1832690d19dbec4f0270f2ec4d0a066

SHA1
1817cb79dcc6026a562d2e19cc45b4418038880c

SHA256
9fb5944b9d3bf71b59b17678db3eb95e0d49c82198f31d4a8a9be0596d0c2b9b

SHA512
85391a6fd703d72389e657abb0029517d353ad305edb4a1ab3defff17e1eae468a072059ddf4979fdaff9bdf91a090e4ca3845e240e882c79cbaa063caadc76e

Download Submit
\Users\Admin\AppData\Local\Temp\expand32xp.dll

Filesize
352KB

MD5
a0f37f97e24bb14535c5130e7662b9ac

SHA1
bcc25a32ca2d074df8411fb4f808f0cbbe037607

SHA256
cce97a5e6c1dd747176b1a4eb9b21c1601c0519ad3ec063cbdcee3ea6561d7f0

SHA512
313666afa1a57c3240aad720ed41a91a14ea5e9673df30263d896b4441a58a0db6fd6ea3af30283348eadb5d1ac466ea35bb438aa1d7a8c1fa3dadb051ac1401

Download Submit
\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe

Filesize
462KB

MD5
8a284fb08c14c389e222e728e6804724

SHA1
e0cfb0068e1f10aeda8fe0aae9e33dc19e694989

SHA256
83b6b4e3f30ddc24d66d37f64335dd12ee12eb24935e179a710d7f536805d16d

SHA512
bc85af3b95722d2231497b930f30f808c0411ce0611ec05921dd1fa9f38b049335ac5b8ae20517f639a521ce71db2cadab613d713b6f5211169ab803e13fff43

Download Submit
memory/1940-0-0x0000000000400000-0x0000000000478C00-memory.dmp

Filesize
483KB

Download
memory/1940-10-0x0000000000400000-0x0000000000478C00-memory.dmp

Filesize
483KB

Download
memory/2180-37-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2180-54-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2180-63-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2180-72-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2720-23-0x0000000000400000-0x000000000044CC00-memory.dmp

Filesize
307KB

Download
memory/2720-40-0x0000000000400000-0x000000000044CC00-memory.dmp

Filesize
307KB

Download
memory/2720-46-0x0000000000400000-0x000000000044CC00-memory.dmp

Filesize
307KB

Download
memory/2720-55-0x0000000000400000-0x000000000044CC00-memory.dmp

Filesize
307KB

Download
memory/2720-67-0x0000000000400000-0x000000000044CC00-memory.dmp

Filesize
307KB

Download
memory/2720-73-0x0000000000400000-0x000000000044CC00-memory.dmp

Filesize
307KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads