d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
Size

344KB
MD5

00442a088456ce18a43187605557b3d1
SHA1

d02f19accf695508bc31a650539934d8ea46fb15
SHA256

d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422
SHA512

62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7
SSDEEP

6144:V6DdOsqgCFKNnhMA6GOopUtQ9KIwD13KJ181KUO:sZOsSwhCGbWWu13E0

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-houjp__.Txt

Ransom Note

$2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://h3ds4.maconslab.com/408F1196AF7A8BEE http://aq3ef.goimocoa.at/408F1196AF7A8BEE http://fl43s.toabolt.at/408F1196AF7A8BEE If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser and open TOR Browser *** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/408F1196AF7A8BEE $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://h3ds4.maconslab.com/408F1196AF7A8BEE http://aq3ef.goimocoa.at/408F1196AF7A8BEE http://fl43s.toabolt.at/408F1196AF7A8BEE Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/408F1196AF7A8BEE Your personal ID 408F1196AF7A8BEE $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9 $2&)"(1%?2>/#'1=."#$<-!6#:+ 8(9

URLs

http://h3ds4.maconslab.com/408F1196AF7A8BEE

http://aq3ef.goimocoa.at/408F1196AF7A8BEE

http://fl43s.toabolt.at/408F1196AF7A8BEE

http://xzjvzkgjxebzreap.onion/408F1196AF7A8BEE

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2908	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

wsmprovhost.exe

pid	Process
2504	wsmprovhost.exe

Loads dropped DLL 2 IoCs

Processes:

00442a088456ce18a43187605557b3d1_JaffaCakes118.exe

pid	Process
2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\FIX2-iwtiiy = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\AppData\\Roaming\\wsmprovhost.exe\""	wsmprovhost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\{RecOveR}-houjp__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\{RecOveR}-houjp__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\{RecOveR}-houjp__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	wsmprovhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

00442a088456ce18a43187605557b3d1_JaffaCakes118.exewsmprovhost.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmprovhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wsmprovhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wsmprovhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wsmprovhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wsmprovhost.exe

pid	Process
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe
2504	wsmprovhost.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

wsmprovhost.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	2504	wsmprovhost.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: SeBackupPrivilege	2668	vssvc.exe
Token: SeRestorePrivilege	2668	vssvc.exe
Token: SeAuditPrivilege	2668	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

00442a088456ce18a43187605557b3d1_JaffaCakes118.exewsmprovhost.exe

description	pid	Process	procid_target
PID 2984 wrote to memory of 2504	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2504	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2504	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2504	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2908	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2908	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2908	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2908	2984	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2884	2504	wsmprovhost.exe	33
PID 2504 wrote to memory of 2884	2504	wsmprovhost.exe	33
PID 2504 wrote to memory of 2884	2504	wsmprovhost.exe	33
PID 2504 wrote to memory of 2884	2504	wsmprovhost.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wsmprovhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wsmprovhost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00442a088456ce18a43187605557b3d1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2504
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\00442A~1.EXE >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-houjp__.Htm

Filesize
9KB

MD5
73f1f86704519f3d9bfd6a60b1195135

SHA1
df2bcf9842dca033ea89ca38f30458a1757f16a5

SHA256
878e027c490e233a2d81f01f5fd406339dc9b9dd8bea927b45c2e389246fc8dd

SHA512
5cc352f132678d0968f5528cee277163c75845fd85c53eacad4f50338a350dc1ebd1ee181238d1d377d558faf6060519140a08603d997152fd04af84c8b490fa

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-houjp__.Png

Filesize
95KB

MD5
a7faa0f02bdfb492db172bb40b401431

SHA1
8ee07b4483015f25190997fbb509b6de897289ec

SHA256
82d3ff63a3d980dac39bc0e2942e669214240d926f4f00a290460a8d04c98b2c

SHA512
beda85ebc5735320024ee494bdbbcfd788cd0ea8b7223c1a5d5c521af91cc5999137e071f7fbb32b882de5860ea923d4dec8745db42ca99a37b528756f51fc6f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-houjp__.Txt

Filesize
2KB

MD5
ab4ef43dab420df4ea32ae06c80d0354

SHA1
274c7680511bb9f904b2e48cc05568df6738106b

SHA256
4d4aa9b205966e9456f677e1e21627806475fc0f24bfa6519afc2b70cb5dd87e

SHA512
bfca3e6fcaac6cad103e01e4b6f2fe93320f370a7f11f6aad419438a91778b537f9acf6bca84c3392d73ccddb838398a69b62c813fa84b3cd769bebf3c3a2e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF1B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDF8B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimate\license.rtf

Filesize
35KB

MD5
13beb8fa053d18f2a40faa30a1817fb8

SHA1
b5a9a419be04a75f94f5e7d9361f05433ac7c9af

SHA256
f81a02bac45c57b0b084e21f31393bebf6d77d85c3d40cd23a8bc881bb4e1e1f

SHA512
1e6565740a158a5e6b9518ec6a43f5bd780ef2b1ed6805a1ee3cd6bf338422ee5c07762c891b4f78ee4d1096c5b82eeebeb6261e7f120500954650ec19ac5036

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\homepremiume\license.rtf

Filesize
28KB

MD5
593d298b498ff2ba12ca3f9a5dd186e4

SHA1
c99b2f76625e6c3730f2a409c43f11507b1ff358

SHA256
553695d412ac38875d4210f7a360798dd06ad3220d8ed5971889f919bfca503c

SHA512
d0d446ed1b819da8f1509dd66241fc91c340838f8c342f85ec4cb0e644b9aa6fe238757f399d16ef9bbee32a13c640af6c85dbea75f93da2f0262428ada18969

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startere\license.rtf

Filesize
28KB

MD5
c30fadbe1165ea07e36b308fd6282637

SHA1
ed46636a45d7e82c76383f78bfd8f4ae5235bbdc

SHA256
be93a9f119086438c5b79fb254f6a699dccae4fa3d4fa773b6e23bfcfa849772

SHA512
b73316f72e26a8b49d7a9f2e98f9bcdd0f129ae2da5e3aaf9c06de1e54eee8e8863ec253f7cc77ecf6a5cf8120fb98cb93bf4496e54510db0384a8f5c8f4188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startern\license.rtf

Filesize
35KB

MD5
32648bce3ed0427fdc1ea0180b600078

SHA1
8a251c54ab92be73dc5fdc567426953ed58fcb1d

SHA256
a1f6710b896070923b232616f5b2feecda166e1408af14647ce6efd6651482ab

SHA512
e32f37d3430f8b168c13d7ca9bace6d73e70959be579ce4b5528fdd6aa7a81036978023a5214c83e4ff995c24ac6c830cb6571b184850f251ac63482f64a38ea

Download Submit
\Users\Admin\AppData\Roaming\wsmprovhost.exe

Filesize
344KB

MD5
00442a088456ce18a43187605557b3d1

SHA1
d02f19accf695508bc31a650539934d8ea46fb15

SHA256
d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

SHA512
62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7

Download Submit
memory/2504-676-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-7376-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-1382-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-2192-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-3010-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-3856-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-4747-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-14-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-11331-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-487-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-10302-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-9390-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2504-8371-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2984-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2984-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2984-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download