Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3a713bfbfbe...18.exe
windows7-x64
8a713bfbfbe...18.exe
windows10-2004-x64
8$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3ProtocolFilters.dll
windows7-x64
1ProtocolFilters.dll
windows10-2004-x64
3WNet.exe
windows7-x64
1WNet.exe
windows10-2004-x64
1libeay32.dll
windows7-x64
1libeay32.dll
windows10-2004-x64
1nfapi.dll
windows7-x64
1nfapi.dll
windows10-2004-x64
1ssfilterdrv.sys
windows7-x64
1ssfilterdrv.sys
windows10-2004-x64
1ssleay32.dll
windows7-x64
1ssleay32.dll
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 23:19
Static task
static1
Behavioral task
behavioral1
Sample
a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
ProtocolFilters.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
ProtocolFilters.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
WNet.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
WNet.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
libeay32.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
libeay32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
nfapi.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
nfapi.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
ssfilterdrv.sys
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
ssfilterdrv.sys
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
ssleay32.dll
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
ssleay32.dll
Resource
win10v2004-20240508-en
General
-
Target
a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
a713bfbfbe7e8b1d8d4ee67370167c4f
-
SHA1
ed7e1c1404e75dea51d05571fa0d3fa7a961b35f
-
SHA256
2acfa669dce5852ee979edae56d7d6cef2a8027ba9083f6145ec7d63cd5e61f4
-
SHA512
20c544363d532fee030adff568631343251e9e0ef1676d5f4b08932cfcd6642226bffb950955ea675b46e9ed7ce7df404c9ba68413d26f9e184248cb190b233d
-
SSDEEP
24576:bciaZC+jrVnbz53x9vy8X3gyUbJMUe2QnB1CSO3IWeLz1pLC8jDagz6P2L9FN9:KZC0BBnvyc329ReB1ClmLCmJI2p5
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\ssfilterdrv.sys a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File opened for modification C:\Windows\System32\drivers\ssfilterdrv.sys a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00080000000234fa-40.dat acprotect behavioral2/memory/2596-44-0x0000000073510000-0x0000000073519000-memory.dmp acprotect -
Deletes itself 1 IoCs
pid Process 4820 explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 3188 nfregdrv.exe 1148 WNet.exe 752 WNet.exe -
Loads dropped DLL 19 IoCs
pid Process 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 3188 nfregdrv.exe 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 1148 WNet.exe 1148 WNet.exe 1148 WNet.exe 1148 WNet.exe 1148 WNet.exe 1148 WNet.exe 1148 WNet.exe 752 WNet.exe 752 WNet.exe 752 WNet.exe 752 WNet.exe 752 WNet.exe 752 WNet.exe 752 WNet.exe -
resource yara_rule behavioral2/files/0x00080000000234fa-40.dat upx behavioral2/memory/2596-44-0x0000000073510000-0x0000000073519000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 WNet.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE WNet.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies WNet.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 WNet.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2596 set thread context of 4820 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 87 -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\WNet\ssfilterdrv.sys a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File created C:\Program Files (x86)\WNet\uninst.exe a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File created C:\Program Files (x86)\WNet\nfapi.dll a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File created C:\Program Files (x86)\WNet\ssleay32.dll a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File created C:\Program Files (x86)\WNet\libeay32.dll a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File created C:\Program Files (x86)\WNet\ProtocolFilters.dll a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File created C:\Program Files (x86)\WNet\nfregdrv.exe a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WNet\ssfilterdrv.sys a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe File created C:\Program Files (x86)\WNet\WNet.exe a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" WNet.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" WNet.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" WNet.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix WNet.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" WNet.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" WNet.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WNet.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" WNet.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2596 wrote to memory of 3188 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 85 PID 2596 wrote to memory of 3188 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 85 PID 2596 wrote to memory of 3188 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 85 PID 2596 wrote to memory of 1148 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 86 PID 2596 wrote to memory of 1148 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 86 PID 2596 wrote to memory of 1148 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 86 PID 2596 wrote to memory of 4820 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 87 PID 2596 wrote to memory of 4820 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 87 PID 2596 wrote to memory of 4820 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 87 PID 2596 wrote to memory of 4820 2596 a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe 87 PID 1148 wrote to memory of 1820 1148 WNet.exe 88 PID 1148 wrote to memory of 1820 1148 WNet.exe 88 PID 1148 wrote to memory of 1820 1148 WNet.exe 88 PID 1820 wrote to memory of 2632 1820 cmd.exe 90 PID 1820 wrote to memory of 2632 1820 cmd.exe 90 PID 1820 wrote to memory of 2632 1820 cmd.exe 90 PID 2632 wrote to memory of 4344 2632 net.exe 91 PID 2632 wrote to memory of 4344 2632 net.exe 91 PID 2632 wrote to memory of 4344 2632 net.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a713bfbfbe7e8b1d8d4ee67370167c4f_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files (x86)\WNet\nfregdrv.exenfregdrv.exe C:\Windows\system32\drivers\ssfilterdrv.sys2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3188
-
-
C:\Program Files (x86)\WNet\WNet.exe"C:\Program Files (x86)\WNet\WNet.exe" /install /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net start WNet3⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\net.exenet start WNet4⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start WNet5⤵PID:4344
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe2⤵
- Deletes itself
PID:4820
-
-
C:\Program Files (x86)\WNet\WNet.exe"C:\Program Files (x86)\WNet\WNet.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD5fab8104ced422c551bcf2dda631e5930
SHA1ccdb59de36d3ca7fe080f173bf437a98701a367b
SHA25634fd513f254f3491a314b64f8883b289ab96a2b975ce6fa357c0ae11ed12d3df
SHA51252608279186f108284bef7cf5e6031d67ae1d700121a22ef7da00a8ef81ae2430e64adabd2fa9c186ebf7d7d5c9df8bd0183d35071d4c1e594e8118a0f576870
-
Filesize
426KB
MD545571677457a9bfd49aadada0fd91ca8
SHA115bb2446b1b6a54c03963c02dcffbe6886d09a56
SHA2564dad1b7a2398c2d770d1d5d519c8a9b1877c430017cf1f17d414b926d6056ad3
SHA51227d78e775cf275e1f068bb72056f8e9694006c75f674449ef2696791edb504e54aacea702152f9947b369b3c93488a91d54b15175a81b544e4ffacfd1eb45cbd
-
Filesize
1.4MB
MD547a9d585dbf59f54574d978c4200a520
SHA1ee99ab151751ee720833efb0c3a031d09bd13833
SHA256421454bccf67fe6def1c13ff6314fd3fb69d667a421a1c1461209164bc9ad780
SHA512d23516719ff06134c8614d27813b828b7815298404824623ae25a35dafde6515ebf80476405235933faad9bc70acfe5e295e8fabe5af091f544a23f3e2a0b565
-
Filesize
124KB
MD504a835251535006c85473a604fba8bdc
SHA14bed678d9836e20d1f48792a8f4ba1d41e94f629
SHA256e99db65a51db72018f0469b6d5096a2d469b790efdeec50a955b8ac4e19f16e8
SHA512e47c5072fd8b581e8312148ca48490a86d4f51d58e6acef90d3d3de8bca5660d62a1b935357f9307c6f89cc35d1d332b0f42f402abf87a8959d4c29af8e5ee67
-
Filesize
48KB
MD592a6df47283b49b207045fa7a4502bc1
SHA1718e9ff5f0fd9143de4f8fcf135d78165f991e9d
SHA256d714695c9775bd7dbb1fa40882bbe03216acb3994b94514a68892454eada0358
SHA512f2b08a4ae33e87a786fe25a2d902c8acb002faa4893a1f21d5608cbe070477af1b9c553c8960486a65089ad1e0be1491cb93cc60da9f3394c893525fa075d645
-
Filesize
56KB
MD57b94b6b6dfcf47fedf7fe436674c6b3c
SHA191d90c7e4b5b8409a03913d533f858a41d486ecc
SHA2560d883f9871b2b85f3e9d3f680cafb825085b7468ddb86f9e9d5e74d21ab1a0ae
SHA5123db29cbef35f2cba0d02ff734e9c8d979f94c23e8164f6616319c7702345f79352077077148bbce54f0c67aeaf0fb9d0d2d077eeba8a837c4105ef331d7a2730
-
Filesize
368KB
MD52da6e9df4979ca65a01c4df6eb5600d2
SHA18bb90aca4e3387629e76d5c8cb53743990d891ec
SHA256bfb7a9a4d5501d21cd575ec6f65b10ec3d43e6bc137d7b6469daf24ee0b65d14
SHA512e146c42fee06702b80ca46d7a281a8c0600b9a35213accac29dc3c505d9d1f0405c4a69f22258042fbe4d35278c2c47ba878b1f2bfaa739eb1501428ea5f90af
-
Filesize
5KB
MD5e5786e8703d651bc8bd4bfecf46d3844
SHA1fee5aa4b325deecbf69ccb6eadd89bd5ae59723f
SHA256d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774
SHA512d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3
-
Filesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f