b602fb6eb87dc7c9ff43e14cd10fc5e9515399004af984bc12590e8ec5a4bd0f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
Size

1.9MB
MD5

07183098f7c770858409ee72f9f2e13b
SHA1

b8ca323e122122a74fa30c41f0dd00fd1fcd8cee
SHA256

b602fb6eb87dc7c9ff43e14cd10fc5e9515399004af984bc12590e8ec5a4bd0f
SHA512

34013b657e7c84fdcf04a105aa41be8e049acc5d80e4b892e2e65700e4422731a03254a1d766ed7809c50026a2cbbb9dea46e7075726c02ab8a95ba7b731d832
SSDEEP

49152:E8EeYRpJ2df6EGKgDCxYCQe70bI+WGck2okyosxGy:oxJ2dbGtZCQNbEGNkyoSGy

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
2836	KSWebShield.exe
2196	kwstray.exe
2756	KSWebShield.exe
2600	KSWebShield.exe
2876	kwstray.exe
2800	KSWebShield.exe
2512	KSWebShield.exe
1776	KSWebShield.exe
1844	kwstray.exe

Loads dropped DLL 15 IoCs

pid	Process
2836	KSWebShield.exe
2964	cmd.exe
2964	cmd.exe
2964	cmd.exe
2964	cmd.exe
2964	cmd.exe
2964	cmd.exe
2964	cmd.exe
2964	cmd.exe
2836	KSWebShield.exe
2800	KSWebShield.exe
2512	KSWebShield.exe
2512	KSWebShield.exe
1776	KSWebShield.exe
2964	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\shezhi_12.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\shezhi_hover.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\iepopo\kwebapp.js	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\replace.htm	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\button01_hover.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\orange\close_normal.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\public	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kswebshield.dll	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\alert.html	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\iepopo\auto_del_n.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\icob2_normal.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\replace\down_border.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\green	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\green\close_down.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\red\bg.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\red\submit_hover.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\about	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\iepopo\close_h.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\mingdan_on.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\replace\btn_down.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\replace\btn_normal.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\alert	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\newtip	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\style\newtip.css	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\setup.bat	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kws.ini	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\green\close_normal.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\about\js_loader.js	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\index\call_back.js	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\red\submit_down.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\replace	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\iepopo\auto_del_h.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\newtip.htm	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\alert\btn_normal.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\mingdan_hover.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\shezhi_normal.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\replace\right_border.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\public\js\kajax.js	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\alert\ico1.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\option\kwebapp.js	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kavifr.dll	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\index\getnews.js	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\js\alert\kwebapp.js	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\style\replace.css	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\jiankong_bg.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\shezhi_on.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\popo\images\red\cancel _normal.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\ksais.dat	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwspop.dll	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\alert\close_down.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\icob2_normal.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\icob3_hover.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\jiankong_normal.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\shezhi_normal.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\replace\btn_normal.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\replace.htm	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\alert\close_down.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\iepopo\confirm_d.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\icob1_down.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\icob1_hover.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwssp.dll	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\about\button.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\icob3_hover.gif	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\webui\kwebshield\images\index\table_button_right.jpg	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2860	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSWebShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSWebShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSWebShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSWebShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSWebShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwstray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSWebShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwstray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwstray.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2792	taskkill.exe
2548	taskkill.exe
2496	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	KSWebShield.exe
Token: SeDebugPrivilege	2600	KSWebShield.exe
Token: SeDebugPrivilege	2756	KSWebShield.exe
Token: 33	2836	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	2836	KSWebShield.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	2512	KSWebShield.exe
Token: 33	2512	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	2512	KSWebShield.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2800	KSWebShield.exe
2800	KSWebShield.exe
1776	KSWebShield.exe
1776	KSWebShield.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 892	1684	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe	28
PID 1684 wrote to memory of 892	1684	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe	28
PID 1684 wrote to memory of 892	1684	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe	28
PID 1684 wrote to memory of 892	1684	07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe	28
PID 892 wrote to memory of 2964	892	WScript.exe	30
PID 892 wrote to memory of 2964	892	WScript.exe	30
PID 892 wrote to memory of 2964	892	WScript.exe	30
PID 892 wrote to memory of 2964	892	WScript.exe	30
PID 892 wrote to memory of 2964	892	WScript.exe	30
PID 892 wrote to memory of 2964	892	WScript.exe	30
PID 892 wrote to memory of 2964	892	WScript.exe	30
PID 2964 wrote to memory of 2860	2964	cmd.exe	32
PID 2964 wrote to memory of 2860	2964	cmd.exe	32
PID 2964 wrote to memory of 2860	2964	cmd.exe	32
PID 2964 wrote to memory of 2860	2964	cmd.exe	32
PID 2964 wrote to memory of 2052	2964	cmd.exe	33
PID 2964 wrote to memory of 2052	2964	cmd.exe	33
PID 2964 wrote to memory of 2052	2964	cmd.exe	33
PID 2964 wrote to memory of 2052	2964	cmd.exe	33
PID 2052 wrote to memory of 2992	2052	net.exe	34
PID 2052 wrote to memory of 2992	2052	net.exe	34
PID 2052 wrote to memory of 2992	2052	net.exe	34
PID 2052 wrote to memory of 2992	2052	net.exe	34
PID 2964 wrote to memory of 2196	2964	cmd.exe	36
PID 2964 wrote to memory of 2196	2964	cmd.exe	36
PID 2964 wrote to memory of 2196	2964	cmd.exe	36
PID 2964 wrote to memory of 2196	2964	cmd.exe	36
PID 2964 wrote to memory of 2600	2964	cmd.exe	37
PID 2964 wrote to memory of 2600	2964	cmd.exe	37
PID 2964 wrote to memory of 2600	2964	cmd.exe	37
PID 2964 wrote to memory of 2600	2964	cmd.exe	37
PID 2964 wrote to memory of 2756	2964	cmd.exe	38
PID 2964 wrote to memory of 2756	2964	cmd.exe	38
PID 2964 wrote to memory of 2756	2964	cmd.exe	38
PID 2964 wrote to memory of 2756	2964	cmd.exe	38
PID 2964 wrote to memory of 2876	2964	cmd.exe	39
PID 2964 wrote to memory of 2876	2964	cmd.exe	39
PID 2964 wrote to memory of 2876	2964	cmd.exe	39
PID 2964 wrote to memory of 2876	2964	cmd.exe	39
PID 2964 wrote to memory of 2792	2964	cmd.exe	40
PID 2964 wrote to memory of 2792	2964	cmd.exe	40
PID 2964 wrote to memory of 2792	2964	cmd.exe	40
PID 2964 wrote to memory of 2792	2964	cmd.exe	40
PID 2836 wrote to memory of 2800	2836	KSWebShield.exe	41
PID 2836 wrote to memory of 2800	2836	KSWebShield.exe	41
PID 2836 wrote to memory of 2800	2836	KSWebShield.exe	41
PID 2836 wrote to memory of 2800	2836	KSWebShield.exe	41
PID 2964 wrote to memory of 2548	2964	cmd.exe	42
PID 2964 wrote to memory of 2548	2964	cmd.exe	42
PID 2964 wrote to memory of 2548	2964	cmd.exe	42
PID 2964 wrote to memory of 2548	2964	cmd.exe	42
PID 2964 wrote to memory of 2496	2964	cmd.exe	43
PID 2964 wrote to memory of 2496	2964	cmd.exe	43
PID 2964 wrote to memory of 2496	2964	cmd.exe	43
PID 2964 wrote to memory of 2496	2964	cmd.exe	43
PID 2964 wrote to memory of 2568	2964	cmd.exe	44
PID 2964 wrote to memory of 2568	2964	cmd.exe	44
PID 2964 wrote to memory of 2568	2964	cmd.exe	44
PID 2964 wrote to memory of 2568	2964	cmd.exe	44
PID 2568 wrote to memory of 2536	2568	net.exe	45
PID 2568 wrote to memory of 2536	2568	net.exe	45
PID 2568 wrote to memory of 2536	2568	net.exe	45
PID 2568 wrote to memory of 2536	2568	net.exe	45
PID 2512 wrote to memory of 1776	2512	KSWebShield.exe	47

C:\Users\Admin\AppData\Local\Temp\07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07183098f7c770858409ee72f9f2e13b_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\setup.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\setup.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\sc.exe
      sc create "Kingsoft Antivirus WebShield Service" start= auto binpath= "C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe" displayname= "Kingsoft Antivirus WebShield Service"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2860
  - - C:\Windows\SysWOW64\net.exe
      net start "Kingsoft Antivirus WebShield Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Kingsoft Antivirus WebShield Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
  - - C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwstray.exe
      kwstray.exe /install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2196
  - - C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe
      KSWebShield.exe -install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2600
  - - C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe
      KSWebShield.exe -start
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwstray.exe
      kwstray.exe /showtray
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM KSWebShield.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM kwstray.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM kwsmain.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\SysWOW64\net.exe
      net start "Kingsoft Antivirus WebShield Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Kingsoft Antivirus WebShield Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
  - - C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwstray.exe
      kwstray.exe /showtray
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1844

C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe
"C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe
  "C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe" -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2800

C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe
"C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe
  "C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe" -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KSWebShield.exe

Filesize
197KB

MD5
62165109b2685dd67571c61ed788e43f

SHA1
a0c4c8222a996f5760f678576fc4316578b98d2c

SHA256
86263560ffc6c04298b2e2ba674f1abfb36f3c988c3763033beab3e32ef4ff1e

SHA512
c75acea0d0ad3085c5ad2dae6a9fe298f13364d957db6470b3925fe3998c084466465ffab231302ccd998546da76a8d71e2eb8b6c8c5ac315144ec38d8c0d836

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KWSSVC.log

Filesize
448B

MD5
7d9522bcd7689629628e20f75f119ddc

SHA1
20766de2d2751b7dbce7449dcad41a74f815540e

SHA256
fddca332f48678a9ea77e67859a236772257b12a79ea40adb87d6ca0eabfa7cc

SHA512
624542f1838cc34406ee0211213991cd939746c207f3e09c7b9072a4f5cc46474fe0c63f9d269f67d294b1924564bcba6bdce4e15c7b050a6354e1ac77869152

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KWSSVC.log

Filesize
546B

MD5
5497d3fb23d156c4ff92ccc0d090bd59

SHA1
02ed901583355c9c5c6618b8bee3f93090838c20

SHA256
e8dc6b3a404dff01342ce83b79abb6a26260aea4d715e87104d32de33e6bc058

SHA512
7778217bb108882b326a6bad904182b456480bb873106c624df1282ced54c010794841e42ba5f04b3b74465332eec9c8caa640782e6a1e4ffa0909bb502b2562

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KWSSVC.log

Filesize
640B

MD5
151554fb79329fc36f4749dbf4006f70

SHA1
47884624ec6e2c3c035b84e033269655a1d671af

SHA256
3fd177064ef77ad84f9ad402cd3991404a81796129bea62511f1ff0bb8a39db6

SHA512
04c829c9d2654db27a61f74c2afb76a74c06734301ac1dc455ff372dd41e0e40a622789a47e943bb109719447db8341f5d5bb11275537437106391e5b03b835e

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\KWSSVC.log

Filesize
890B

MD5
7e5dcf86b4d91d9f29792af21010908f

SHA1
f8600cde25803ff7b505e01a4226ba2e07f9ec56

SHA256
f9620ed99ad318d19bbb0b8374b9410ae89a5a1d6b63fb8e150074a121628b7a

SHA512
d93185c45875e7a3e6963386d8a1ea4b7d50edf96803312bc5b7c2c7e74fd0e523f3ca34d8f41b0a5d339b59cf50444cd38a4d00c49acb7f7475a88215990405

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kws.ini

Filesize
278B

MD5
f0caddf716ec1af6aff12e425d115a96

SHA1
5150ed21a9fe42cd526c49a7365964dcc457f0ce

SHA256
6252d039ad2d7d9f7f171bf2bbe3ffdf4b024feba08cb0f47946f0784d565c0d

SHA512
9cc8d803b2ee6b9c362503ee25a6e9aa298507aa5474803e97dd52cf01190249fd3269d040e0af087ea5b80394cf962b650f350d609f6b60fabe548698ed79a2

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kws0.ini

Filesize
85B

MD5
fb2565465183a02a0542b62ce7658c07

SHA1
66e200ec0c5f7b3621969a8ec242351f62753eac

SHA256
841195fa97e9bae4292bb2be23527dd30d4fccae0410c4c535a42ef87b6c02a8

SHA512
3a6ebff76739f9919cf9d1d4ece43fb2582a52e5e52b5ab6ab46a0044a10a72024a962c3a063f933196f88f11cce44fdfc7b17a4c3b81bcdb90b2018bd082b15

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwssp.dll

Filesize
409KB

MD5
3ccb87acf97bf1f4f4481f3d9b53ae1a

SHA1
e768e3cd6f78ad3b3f0c9f497dbe6c6250ade71d

SHA256
5a6dfc1dc67210b3a18b21b2348fc59ffa31749945e7c6ffae0328c8092300dc

SHA512
83d3dcab80d7ac1f30f9682fb748b3c994bfdd15c9202c86b4c32e1c18d88ae64072aacb810e246268709197c04f0f312c3037038e1f45ed1d0e83f007a767e5

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwstray.exe

Filesize
445KB

MD5
4c608f698fe92f1602f708e521f0c5d7

SHA1
a80a1c9d4a12c8270150678586503c89b3061708

SHA256
be8c3fa62d03b9c53c41fde37f8b21fbbe227abf79f57d52f26678f345a53dbe

SHA512
0a662894218d8e4efb5638696e4f5b3de825f6e5ac8c485332202ea0e64fc0748586e80af5ad66257913f19a0ddea71022cc794909a4faf18f57ffcd5548b401

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\kwsui.dll

Filesize
313KB

MD5
2b9e7bf097a7a50dad91bd168365409d

SHA1
89df5e55bc837ed39fb5f0efd76e1021621f2243

SHA256
e3924849b8a686e9d22144815e07d3f799049efcc244011bac23ca55dbe675e3

SHA512
c075b5e5e213cf0fd4277a4a321a7520616794badda1d481b9a770dd867789714a2651b964406d98077eb5fca169bb81f31128113426a72a70a23bd752f19a9b

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\setup.bat

Filesize
515B

MD5
a78e555e85ebd6df891032c633a4766c

SHA1
9925254c5f6c07b7b73c9daa8fc4d4620849af00

SHA256
ab9d9aa4bb3772d48f9ac5387a20b55e3546166f69886ecdae52a6dcb599a7b4

SHA512
11fa7216eff30397f88bcb086937ca64c35ab47ceed96a87a2241f12be4e9bdc85bdfb75a27cab99a1a8e168b0724daa0bc63112cde18003d9ffa7e25956536c

Download Submit
C:\Program Files (x86)\Windows Media Player\Skins\wmplayer\setup.vbs

Filesize
1KB

MD5
346b807e15618fe531f9f9335bbcf321

SHA1
0a69a78d185652e6929e1de945b9bc3e3ff05302

SHA256
2c46fb546b9d33d5717047a6c97586c0bc0b71e96fa56be1e4e9e9d91e6a0c06

SHA512
835efbfbdb726697c169eec251944f066a44e2d56d449fed674f264a6119e5fa7c1f78111baa6d0c5fc72359ff2e0a537b7b07af6fbfdb2870c96ea8d580b213

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
56B

MD5
5c36b46db434d6e5e43d56beae878f80

SHA1
298fe8281e7154b909f228cd1366bc58304d64e3

SHA256
441ed4a66c6b9f8d881a630c30cc80039c4b44d525dd15977e70b3e4fa35b7f6

SHA512
5e072859ed9b2daa7feae007a55f8b09aac6cb3d4df78c5636b6d59ed090d0a7ddd19786a942de59ccf4e9c02b52f1ba959e2127a74dd3e0dff9b8634da935ab

Download Submit
memory/1684-410-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download