2acfa669dce5852ee979edae56d7d6cef2a8027ba9083f6145ec7d63cd5e61f4

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
Size

1.5MB
MD5

a713bfbfbe7e8b1d8d4ee67370167c4f
SHA1

ed7e1c1404e75dea51d05571fa0d3fa7a961b35f
SHA256

2acfa669dce5852ee979edae56d7d6cef2a8027ba9083f6145ec7d63cd5e61f4
SHA512

20c544363d532fee030adff568631343251e9e0ef1676d5f4b08932cfcd6642226bffb950955ea675b46e9ed7ce7df404c9ba68413d26f9e184248cb190b233d
SSDEEP

24576:bciaZC+jrVnbz53x9vy8X3gyUbJMUe2QnB1CSO3IWeLz1pLC8jDagz6P2L9FN9:KZC0BBnvyc329ReB1ClmLCmJI2p5

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\ssfilterdrv.sys	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\ssfilterdrv.sys	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000234fa-40.dat	acprotect
behavioral2/memory/2596-44-0x0000000073510000-0x0000000073519000-memory.dmp	acprotect

Deletes itself 1 IoCs

pid	Process
4820	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
3188	nfregdrv.exe
1148	WNet.exe
752	WNet.exe

Loads dropped DLL 19 IoCs

pid	Process
2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
3188	nfregdrv.exe
2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
1148	WNet.exe
1148	WNet.exe
1148	WNet.exe
1148	WNet.exe
1148	WNet.exe
1148	WNet.exe
1148	WNet.exe
752	WNet.exe
752	WNet.exe
752	WNet.exe
752	WNet.exe
752	WNet.exe
752	WNet.exe
752	WNet.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234fa-40.dat	upx
behavioral2/memory/2596-44-0x0000000073510000-0x0000000073519000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	WNet.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	WNet.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	WNet.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	WNet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 4820	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	87

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WNet\ssfilterdrv.sys	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\uninst.exe	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\nfapi.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\ssleay32.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\libeay32.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\ProtocolFilters.dll	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\nfregdrv.exe	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WNet\ssfilterdrv.sys	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNet\WNet.exe	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WNet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WNet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WNet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WNet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WNet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WNet.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3188	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	85
PID 2596 wrote to memory of 3188	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	85
PID 2596 wrote to memory of 3188	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	85
PID 2596 wrote to memory of 1148	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	86
PID 2596 wrote to memory of 1148	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	86
PID 2596 wrote to memory of 1148	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	86
PID 2596 wrote to memory of 4820	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	87
PID 2596 wrote to memory of 4820	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	87
PID 2596 wrote to memory of 4820	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	87
PID 2596 wrote to memory of 4820	2596	a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe	87
PID 1148 wrote to memory of 1820	1148	WNet.exe	88
PID 1148 wrote to memory of 1820	1148	WNet.exe	88
PID 1148 wrote to memory of 1820	1148	WNet.exe	88
PID 1820 wrote to memory of 2632	1820	cmd.exe	90
PID 1820 wrote to memory of 2632	1820	cmd.exe	90
PID 1820 wrote to memory of 2632	1820	cmd.exe	90
PID 2632 wrote to memory of 4344	2632	net.exe	91
PID 2632 wrote to memory of 4344	2632	net.exe	91
PID 2632 wrote to memory of 4344	2632	net.exe	91

C:\Users\Admin\AppData\Local\Temp\a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\WNet\nfregdrv.exe
  nfregdrv.exe C:\Windows\system32\drivers\ssfilterdrv.sys
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3188
- C:\Program Files (x86)\WNet\WNet.exe
  "C:\Program Files (x86)\WNet\WNet.exe" /install /SILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net start WNet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\net.exe
      net start WNet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start WNet
        5⤵
        
        PID:4344
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  PID:4820

C:\Program Files (x86)\WNet\WNet.exe
"C:\Program Files (x86)\WNet\WNet.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WNet\ProtocolFilters.dll

Filesize
360KB

MD5
fab8104ced422c551bcf2dda631e5930

SHA1
ccdb59de36d3ca7fe080f173bf437a98701a367b

SHA256
34fd513f254f3491a314b64f8883b289ab96a2b975ce6fa357c0ae11ed12d3df

SHA512
52608279186f108284bef7cf5e6031d67ae1d700121a22ef7da00a8ef81ae2430e64adabd2fa9c186ebf7d7d5c9df8bd0183d35071d4c1e594e8118a0f576870

Download Submit
C:\Program Files (x86)\WNet\WNet.exe

Filesize
426KB

MD5
45571677457a9bfd49aadada0fd91ca8

SHA1
15bb2446b1b6a54c03963c02dcffbe6886d09a56

SHA256
4dad1b7a2398c2d770d1d5d519c8a9b1877c430017cf1f17d414b926d6056ad3

SHA512
27d78e775cf275e1f068bb72056f8e9694006c75f674449ef2696791edb504e54aacea702152f9947b369b3c93488a91d54b15175a81b544e4ffacfd1eb45cbd

Download Submit
C:\Program Files (x86)\WNet\libeay32.dll

Filesize
1.4MB

MD5
47a9d585dbf59f54574d978c4200a520

SHA1
ee99ab151751ee720833efb0c3a031d09bd13833

SHA256
421454bccf67fe6def1c13ff6314fd3fb69d667a421a1c1461209164bc9ad780

SHA512
d23516719ff06134c8614d27813b828b7815298404824623ae25a35dafde6515ebf80476405235933faad9bc70acfe5e295e8fabe5af091f544a23f3e2a0b565

Download Submit
C:\Program Files (x86)\WNet\nfapi.dll

Filesize
124KB

MD5
04a835251535006c85473a604fba8bdc

SHA1
4bed678d9836e20d1f48792a8f4ba1d41e94f629

SHA256
e99db65a51db72018f0469b6d5096a2d469b790efdeec50a955b8ac4e19f16e8

SHA512
e47c5072fd8b581e8312148ca48490a86d4f51d58e6acef90d3d3de8bca5660d62a1b935357f9307c6f89cc35d1d332b0f42f402abf87a8959d4c29af8e5ee67

Download Submit
C:\Program Files (x86)\WNet\nfregdrv.exe

Filesize
48KB

MD5
92a6df47283b49b207045fa7a4502bc1

SHA1
718e9ff5f0fd9143de4f8fcf135d78165f991e9d

SHA256
d714695c9775bd7dbb1fa40882bbe03216acb3994b94514a68892454eada0358

SHA512
f2b08a4ae33e87a786fe25a2d902c8acb002faa4893a1f21d5608cbe070477af1b9c553c8960486a65089ad1e0be1491cb93cc60da9f3394c893525fa075d645

Download Submit
C:\Program Files (x86)\WNet\ssfilterdrv.sys

Filesize
56KB

MD5
7b94b6b6dfcf47fedf7fe436674c6b3c

SHA1
91d90c7e4b5b8409a03913d533f858a41d486ecc

SHA256
0d883f9871b2b85f3e9d3f680cafb825085b7468ddb86f9e9d5e74d21ab1a0ae

SHA512
3db29cbef35f2cba0d02ff734e9c8d979f94c23e8164f6616319c7702345f79352077077148bbce54f0c67aeaf0fb9d0d2d077eeba8a837c4105ef331d7a2730

Download Submit
C:\Program Files (x86)\WNet\ssleay32.dll

Filesize
368KB

MD5
2da6e9df4979ca65a01c4df6eb5600d2

SHA1
8bb90aca4e3387629e76d5c8cb53743990d891ec

SHA256
bfb7a9a4d5501d21cd575ec6f65b10ec3d43e6bc137d7b6469daf24ee0b65d14

SHA512
e146c42fee06702b80ca46d7a281a8c0600b9a35213accac29dc3c505d9d1f0405c4a69f22258042fbe4d35278c2c47ba878b1f2bfaa739eb1501428ea5f90af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3366.tmp\SelfDel.dll

Filesize
5KB

MD5
e5786e8703d651bc8bd4bfecf46d3844

SHA1
fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

SHA256
d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

SHA512
d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3366.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3366.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/752-88-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/752-86-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1148-49-0x0000000000920000-0x000000000097C000-memory.dmp

Filesize
368KB

Download
memory/1148-60-0x00000000009E0000-0x0000000000B53000-memory.dmp

Filesize
1.4MB

Download
memory/1148-56-0x0000000000980000-0x00000000009DD000-memory.dmp

Filesize
372KB

Download
memory/1148-70-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1148-71-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2596-69-0x0000000073510000-0x0000000073519000-memory.dmp

Filesize
36KB

Download
memory/2596-44-0x0000000073510000-0x0000000073519000-memory.dmp

Filesize
36KB

Download
memory/2596-31-0x0000000002610000-0x0000000002623000-memory.dmp

Filesize
76KB

Download