2acfa669dce5852ee979edae56d7d6cef2a8027ba9083f6145ec7d63cd5e61f4

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
Size

1.5MB
MD5

a713bfbfbe7e8b1d8d4ee67370167c4f
SHA1

ed7e1c1404e75dea51d05571fa0d3fa7a961b35f
SHA256

2acfa669dce5852ee979edae56d7d6cef2a8027ba9083f6145ec7d63cd5e61f4
SHA512

20c544363d532fee030adff568631343251e9e0ef1676d5f4b08932cfcd6642226bffb950955ea675b46e9ed7ce7df404c9ba68413d26f9e184248cb190b233d
SSDEEP

24576:bciaZC+jrVnbz53x9vy8X3gyUbJMUe2QnB1CSO3IWeLz1pLC8jDagz6P2L9FN9:KZC0BBnvyc329ReB1ClmLCmJI2p5

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\ssfilterdrv.sys	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/memory/2412-48-0x0000000074EC0000-0x0000000074EC9000-memory.dmp	acprotect
behavioral1/files/0x0006000000016d2a-46.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2600	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2772	nfregdrv.exe
2992	WNet.exe
2968	WNet.exe

Loads dropped DLL 16 IoCs

pid	Process
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2772	nfregdrv.exe
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2992	WNet.exe
2992	WNet.exe
2992	WNet.exe
2992	WNet.exe
2968	WNet.exe
2968	WNet.exe
2968	WNet.exe
2968	WNet.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2412-48-0x0000000074EC0000-0x0000000074EC9000-memory.dmp	upx
behavioral1/files/0x0006000000016d2a-46.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 2600	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	30

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WNet\uninst.exe	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WNet\ssfilterdrv.sys	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\WNet.exe	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\ProtocolFilters.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\nfregdrv.exe	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\ssfilterdrv.sys	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\nfapi.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\ssleay32.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\libeay32.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	WNet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WNet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-8b-a4-8d-86-ff\WpadDecisionTime = 30147834e8bdda01	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WNet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	WNet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF275E0B-A5D0-44FC-AF6F-C7853DB8FDA0}\WpadDecisionTime = 30147834e8bdda01	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-8b-a4-8d-86-ff	WNet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WNet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF275E0B-A5D0-44FC-AF6F-C7853DB8FDA0}	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF275E0B-A5D0-44FC-AF6F-C7853DB8FDA0}\WpadDecisionReason = "1"	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF275E0B-A5D0-44FC-AF6F-C7853DB8FDA0}\WpadDecision = "0"	WNet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF275E0B-A5D0-44FC-AF6F-C7853DB8FDA0}\WpadNetworkName = "Network 3"	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF275E0B-A5D0-44FC-AF6F-C7853DB8FDA0}\7e-8b-a4-8d-86-ff	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	WNet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	WNet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-8b-a4-8d-86-ff\WpadDecisionReason = "1"	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-8b-a4-8d-86-ff\WpadDecision = "0"	WNet.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2772	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2772	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2772	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2772	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2992	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2992	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2992	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2992	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2600	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2600	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2600	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2600	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2600	2412	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2636	2992	WNet.exe	31
PID 2992 wrote to memory of 2636	2992	WNet.exe	31
PID 2992 wrote to memory of 2636	2992	WNet.exe	31
PID 2992 wrote to memory of 2636	2992	WNet.exe	31
PID 2636 wrote to memory of 1968	2636	cmd.exe	33
PID 2636 wrote to memory of 1968	2636	cmd.exe	33
PID 2636 wrote to memory of 1968	2636	cmd.exe	33
PID 2636 wrote to memory of 1968	2636	cmd.exe	33
PID 1968 wrote to memory of 2544	1968	net.exe	34
PID 1968 wrote to memory of 2544	1968	net.exe	34
PID 1968 wrote to memory of 2544	1968	net.exe	34
PID 1968 wrote to memory of 2544	1968	net.exe	34

C:\Users\Admin\AppData\Local\Temp\a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files (x86)\WNet\nfregdrv.exe
  nfregdrv.exe C:\Windows\system32\drivers\ssfilterdrv.sys
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2772
- C:\Program Files (x86)\WNet\WNet.exe
  "C:\Program Files (x86)\WNet\WNet.exe" /install /SILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net start WNet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\net.exe
      net start WNet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start WNet
        5⤵
        
        PID:2544
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  PID:2600

C:\Program Files (x86)\WNet\WNet.exe
"C:\Program Files (x86)\WNet\WNet.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WNet\LIBEAY32.dll

Filesize
1.4MB

MD5
47a9d585dbf59f54574d978c4200a520

SHA1
ee99ab151751ee720833efb0c3a031d09bd13833

SHA256
421454bccf67fe6def1c13ff6314fd3fb69d667a421a1c1461209164bc9ad780

SHA512
d23516719ff06134c8614d27813b828b7815298404824623ae25a35dafde6515ebf80476405235933faad9bc70acfe5e295e8fabe5af091f544a23f3e2a0b565

Download Submit
C:\Program Files (x86)\WNet\ProtocolFilters.dll

Filesize
360KB

MD5
fab8104ced422c551bcf2dda631e5930

SHA1
ccdb59de36d3ca7fe080f173bf437a98701a367b

SHA256
34fd513f254f3491a314b64f8883b289ab96a2b975ce6fa357c0ae11ed12d3df

SHA512
52608279186f108284bef7cf5e6031d67ae1d700121a22ef7da00a8ef81ae2430e64adabd2fa9c186ebf7d7d5c9df8bd0183d35071d4c1e594e8118a0f576870

Download Submit
C:\Program Files (x86)\WNet\SSLEAY32.dll

Filesize
368KB

MD5
2da6e9df4979ca65a01c4df6eb5600d2

SHA1
8bb90aca4e3387629e76d5c8cb53743990d891ec

SHA256
bfb7a9a4d5501d21cd575ec6f65b10ec3d43e6bc137d7b6469daf24ee0b65d14

SHA512
e146c42fee06702b80ca46d7a281a8c0600b9a35213accac29dc3c505d9d1f0405c4a69f22258042fbe4d35278c2c47ba878b1f2bfaa739eb1501428ea5f90af

Download Submit
C:\Program Files (x86)\WNet\nfapi.dll

Filesize
124KB

MD5
04a835251535006c85473a604fba8bdc

SHA1
4bed678d9836e20d1f48792a8f4ba1d41e94f629

SHA256
e99db65a51db72018f0469b6d5096a2d469b790efdeec50a955b8ac4e19f16e8

SHA512
e47c5072fd8b581e8312148ca48490a86d4f51d58e6acef90d3d3de8bca5660d62a1b935357f9307c6f89cc35d1d332b0f42f402abf87a8959d4c29af8e5ee67

Download Submit
C:\Program Files (x86)\WNet\ssfilterdrv.sys

Filesize
55KB

MD5
926bd4a985c21b22b61d90ef1b0cfc06

SHA1
86d9dff934a0085eaa9c6ede6250ee241d2053dc

SHA256
25e8a0d5925e6e05e117a68312341fe38d4f374a520ae5236490831c4f762c58

SHA512
5517f5c7662d138b2e2670d59fc997f7455d1e3418e464c09d1cc575d54535e4962fbf790cfe6e6b3d2b173f71a438fe3e0dab241e2f04fabdb2232d1d91d99b

Download Submit
\Program Files (x86)\WNet\WNet.exe

Filesize
426KB

MD5
45571677457a9bfd49aadada0fd91ca8

SHA1
15bb2446b1b6a54c03963c02dcffbe6886d09a56

SHA256
4dad1b7a2398c2d770d1d5d519c8a9b1877c430017cf1f17d414b926d6056ad3

SHA512
27d78e775cf275e1f068bb72056f8e9694006c75f674449ef2696791edb504e54aacea702152f9947b369b3c93488a91d54b15175a81b544e4ffacfd1eb45cbd

Download Submit
\Program Files (x86)\WNet\nfregdrv.exe

Filesize
48KB

MD5
92a6df47283b49b207045fa7a4502bc1

SHA1
718e9ff5f0fd9143de4f8fcf135d78165f991e9d

SHA256
d714695c9775bd7dbb1fa40882bbe03216acb3994b94514a68892454eada0358

SHA512
f2b08a4ae33e87a786fe25a2d902c8acb002faa4893a1f21d5608cbe070477af1b9c553c8960486a65089ad1e0be1491cb93cc60da9f3394c893525fa075d645

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1122.tmp\SelfDel.dll

Filesize
5KB

MD5
e5786e8703d651bc8bd4bfecf46d3844

SHA1
fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

SHA256
d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

SHA512
d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1122.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1122.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2412-13-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2412-32-0x00000000003C0000-0x00000000003D3000-memory.dmp

Filesize
76KB

Download
memory/2412-48-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

Filesize
36KB

Download
memory/2968-77-0x0000000000480000-0x00000000004DC000-memory.dmp

Filesize
368KB

Download
memory/2968-80-0x00000000004E0000-0x000000000053D000-memory.dmp

Filesize
372KB

Download
memory/2968-83-0x0000000000540000-0x00000000006B3000-memory.dmp

Filesize
1.4MB

Download
memory/2968-85-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2968-87-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2992-56-0x0000000000480000-0x00000000004DD000-memory.dmp

Filesize
372KB

Download
memory/2992-60-0x00000000004E0000-0x0000000000653000-memory.dmp

Filesize
1.4MB

Download
memory/2992-62-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2992-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2992-52-0x00000000003A0000-0x00000000003FC000-memory.dmp

Filesize
368KB

Download