b67018512894d3b3422f0f856756229ace8e18044e0db51a4141b078bc96cb1d

General

Target

0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Size

398KB
MD5

0dd79e364364aa64381242942fecbda3
SHA1

32ea31863c0966ef09f8ae460306e5cf6c34db7c
SHA256

b67018512894d3b3422f0f856756229ace8e18044e0db51a4141b078bc96cb1d
SHA512

71c0c70816e38001bea26e3dabb881bf6ff22ce4e87a2150247d40bfb0c5d950c30e348a9411e3acacd6797a33d0973d2c6320e1473cbd28eb9661bdd4875ae7
SSDEEP

6144:CPPrO426Ep+NQFj8YdCioiqBb1lo/GWyJusttUnVzfCN/WQ3EEs8Pl9Bnsz+d4:0r5FSfdZTUREGFpt0fw/WQ3EEs83mzw4

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2088	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{3A7FA539-8005-4603-87D2-SOS1-N360v4} = "C:\\Users\\Public\\Downloads\\Norton\\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe /m"	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{3A7FA539-8005-4603-87D2-SOS1-N360v4} = "C:\\Users\\Public\\Downloads\\Norton\\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe /m"	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2088	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2088	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2088	1504	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe	82
PID 1504 wrote to memory of 2088	1504	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe	82
PID 1504 wrote to memory of 2088	1504	0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Public\Downloads\Norton\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe
  C:\Users\Public\Downloads\Norton\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe /r
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
399cd4d4a226928f49c24798284a782d

SHA1
ca247b2e52ae971567fc038303b90a93dbd106c6

SHA256
70bc79a510da26449ae65913d8716eabc83add4ec98993b2fd520c4ae005b82f

SHA512
e1e7ebee3f90b8eefd1ed0f5e84d5d003303c58e8e29bd14ef018aeeea907ae32ea7a4fe1f423f97871e10be933a78d91cb2b7d163f1f756d59fcf6e36756a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2080292272-204036150-2159171770-1000\4bd07e1ba952c6aa9bf83a8d98c08949_50b25195-d6c8-43bb-b2ca-a8bd616967ef

Filesize
54B

MD5
9499c2f308410e48386f58ca7afccd2e

SHA1
e2ef9dec757aec938d801dd720fddc0c387da7af

SHA256
87e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97

SHA512
ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457

Download Submit
C:\Users\Admin\Desktop\Launch Norton Download Manager.lnk

Filesize
1KB

MD5
c19d9431461f95b32fc5c225301c9f5d

SHA1
1ebf975f3135aeefa1b56e9997727c27474fe648

SHA256
c37d9967b8ed7e2e70ae58fdc28713e537790f630676db30f7984b244fb66b42

SHA512
9afcb125e68099bf346524e2d03127ccbe0a96e58f355ac15168592376bf0b82b559f35ffe6388563186f077677a250c8cd41af26cab0e7abfd40ee74c24a433

Download Submit
C:\Users\Admin\Desktop\Norton Installation Files.lnk

Filesize
1KB

MD5
9db89198ec86499494bd0a7582e6dc4d

SHA1
8cda45806947a1516324e561eeb7304b15639eb3

SHA256
a80dbb4bb9a6d02d112a866d53b30f226de00cfa25143accca45ca7068c8adda

SHA512
91aff96d5d39a44a2cb6e1211f393e830ff8280985d82bc0b6bbff75dea58d5e7cbd27242c9ba85f1be41e648944e44195e20b5c7987f2d3d83c202cb3e0be5b

Download Submit
C:\Users\Public\Downloads\Norton\{3A7FA539-8005-4603-87D2-SOS1-N360v4}\0dd79e364364aa64381242942fecbda3_JaffaCakes118.exe

Filesize
398KB

MD5
0dd79e364364aa64381242942fecbda3

SHA1
32ea31863c0966ef09f8ae460306e5cf6c34db7c

SHA256
b67018512894d3b3422f0f856756229ace8e18044e0db51a4141b078bc96cb1d

SHA512
71c0c70816e38001bea26e3dabb881bf6ff22ce4e87a2150247d40bfb0c5d950c30e348a9411e3acacd6797a33d0973d2c6320e1473cbd28eb9661bdd4875ae7

Download Submit
memory/1504-20-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1504-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1504-1-0x0000000002180000-0x0000000002182000-memory.dmp

Filesize
8KB

Download
memory/2088-21-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2088-22-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/2088-33-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2088-34-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2088-36-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/2088-37-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2088-38-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2088-46-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads