b67018512894d3b3422f0f856756229ace8e18044e0db51a4141b078bc96cb1d

General

Target

0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Size

398KB
MD5

0dd79e364364aa64381242942fecbda3
SHA1

32ea31863c0966ef09f8ae460306e5cf6c34db7c
SHA256

b67018512894d3b3422f0f856756229ace8e18044e0db51a4141b078bc96cb1d
SHA512

71c0c70816e38001bea26e3dabb881bf6ff22ce4e87a2150247d40bfb0c5d950c30e348a9411e3acacd6797a33d0973d2c6320e1473cbd28eb9661bdd4875ae7
SSDEEP

6144:CPPrO426Ep+NQFj8YdCioiqBb1lo/GWyJusttUnVzfCN/WQ3EEs8Pl9Bnsz+d4:0r5FSfdZTUREGFpt0fw/WQ3EEs83mzw4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Loads dropped DLL 5 IoCs

pid	Process
1276	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
1276	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
1276	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
2656	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
2656	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{3A7FA539-8005-4603-87D2-SOS1-N360v4} = "C:\\Users\\Public\\Downloads\\Norton\\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe /m"	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{3A7FA539-8005-4603-87D2-SOS1-N360v4} = "C:\\Users\\Public\\Downloads\\Norton\\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe /m"	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2656	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2656	1276	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2656	1276	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2656	1276	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2656	1276	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Public\Downloads\Norton\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
  C:\Users\Public\Downloads\Norton\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe /r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
bd018e5f9c023f3c559745c8ce3b6273

SHA1
222663b7b71cad59f7c0ade6704b58802c7a11e2

SHA256
240b2f037b20f2db0447b365033f0205991379d61299cec53da034f5d8dc0c46

SHA512
e1063f110a0acdef2cb56a86905923c9a6e8721ea5c4f02f18f48bae62d6322bc63e84c7300dd70213919cc4eb1af3dc14684369c95253bc9978e7845172cd01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2737914667-933161113-3798636211-1000\4bd07e1ba952c6aa9bf83a8d98c08949_07cfaa2b-05f3-43ad-9a8b-0541b0b16272

Filesize
54B

MD5
9499c2f308410e48386f58ca7afccd2e

SHA1
e2ef9dec757aec938d801dd720fddc0c387da7af

SHA256
87e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97

SHA512
ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Launch Norton Download Manager.lnk

Filesize
1KB

MD5
79f8a4922ae9ef6b6500e2888d3750dd

SHA1
e5b9ea98f98d558eb606423ccec0b81d0291bf3d

SHA256
d13fdcd1ef566de02b51e2e3fe6a103e20d48605eaf5d90fc49608be601d24f3

SHA512
b74dd256d94a904c405e5f5f07c6725f9cd2378d7c10c4d52ef93deb0c4695d5421551e33b59cd4cbab9f1bb9d83c235658028afb4f752eb544975de577798b2

Download Submit
C:\Users\Admin\Desktop\Norton Installation Files.lnk

Filesize
1KB

MD5
d067e3781b23b71f708797daad394142

SHA1
18d8122c69841f53c56fd2def8e2907bb97c13ea

SHA256
4f0043523d028f377799be389a90d08097cfd7512e9ae71e3537304912315972

SHA512
e1ed80d0420f42fc6212adb77669a60a7de5cfa85775050e0effe0d24c497855e93e8ca4fe95a24271b15b7d8a98cf040d21f3fafaa1f0fc4dfffb841064b09f

Download Submit
\Users\Public\Downloads\Norton\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Filesize
398KB

MD5
0dd79e364364aa64381242942fecbda3

SHA1
32ea31863c0966ef09f8ae460306e5cf6c34db7c

SHA256
b67018512894d3b3422f0f856756229ace8e18044e0db51a4141b078bc96cb1d

SHA512
71c0c70816e38001bea26e3dabb881bf6ff22ce4e87a2150247d40bfb0c5d950c30e348a9411e3acacd6797a33d0973d2c6320e1473cbd28eb9661bdd4875ae7

Download Submit
memory/1276-1-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-12-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/1276-22-0x0000000002F80000-0x00000000030DC000-memory.dmp

Filesize
1.4MB

Download
memory/1276-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1276-25-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-26-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-27-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-40-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2656-39-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2656-43-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-44-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-51-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-52-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-55-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads