b1d58ec9e1339af39852ad1d9af8eef47abf7e92d07bb0b86b9ead3118d0821e

General

Target

a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
Size

398KB
MD5

a9abd03899f9d0d30033a99d60d25aa3
SHA1

2400a2ece5fc5b69a95f232f5bf72d23492d4923
SHA256

b1d58ec9e1339af39852ad1d9af8eef47abf7e92d07bb0b86b9ead3118d0821e
SHA512

41c1413be4b712008b074077d3e31cce74da613f7c7e28a21fcc62f856a5e3ee2b8078cbfe253d635ad703ef669b9c0146a4c099e96a2a33fecc41ca0323b058
SSDEEP

12288:2C8j5LHNmRG4Pn8FE+Kqz/vR3FvK0mzlt:Z8FbQ/8FEcz/HKXv

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2656	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Loads dropped DLL 5 IoCs

pid	Process
1908	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
1908	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
1908	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
2656	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
2656	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{N360P_prod_1.19_4.1.0.32} = "C:\\Users\\Public\\Downloads\\Norton\\{N360P_prod_1.19_4.1.0.32}\\a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe /m"	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{N360P_prod_1.19_4.1.0.32} = "C:\\Users\\Public\\Downloads\\Norton\\{N360P_prod_1.19_4.1.0.32}\\a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe /m"	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2656	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2656	1908	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2656	1908	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2656	1908	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2656	1908	a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Public\Downloads\Norton\{N360P_prod_1.19_4.1.0.32}\a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe
  C:\Users\Public\Downloads\Norton\{N360P_prod_1.19_4.1.0.32}\a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe /r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
21974872e49086fb62d9c2ab95993916

SHA1
317041d12cde82d5ec6fd57b4a007124dc95d924

SHA256
580b730db5baf0a4b2c4a2729b092f33884793b2cc9094f644c0b24f60d93e0a

SHA512
8275d3e10ef4a1769b7a7b799be094a2af70bbc71c5fd91265a7fce45b8234d2f01700f5d6620ac4c0b4e7ad2952508684533ba57442af14637f8004baa81b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab94B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9533.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\4bd07e1ba952c6aa9bf83a8d98c08949_5349ca0f-aec5-405f-83e0-aa034653cb76

Filesize
54B

MD5
9499c2f308410e48386f58ca7afccd2e

SHA1
e2ef9dec757aec938d801dd720fddc0c387da7af

SHA256
87e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97

SHA512
ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton Download Manager.lnk

Filesize
1KB

MD5
1ddbf95a91d490adefa9bb8b654d400a

SHA1
97895b24f79331b9aae4966cec824874722f8ed9

SHA256
2461a67f518e24a414a75afb3ba4f40a000d0b9a074f542f225dde8f2a271b8d

SHA512
534458b3648eb5397fdd2df1cc4b9687287daf14efeeabf78f387b63de23a93f2d7d177e6f0b0ccf5a814ff5d826452d720032898a07f33f148e5161a6327a36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton Installation Files.lnk

Filesize
1KB

MD5
47b26683bf5f1046f63be008e0599bb6

SHA1
4061b1591c680f5092fdfdd2da9562cd71c8555b

SHA256
1ad59b0cbc57e3e857bdca29921f56bf30921d948b7fd3b20605c7046f9de3ee

SHA512
b0a53e99962a75bcb1a1f689c126d7cff70020aab0e0911c37af3bc47b3a3f75be368d679fa6e26c88cf22fac632fd67ce7e2b5a9d711a77e230ea284fbe3fba

Download Submit
\Users\Public\Downloads\Norton\{N360P_prod_1.19_4.1.0.32}\a9abd03899f9d0d30033a99d60d25aa3_JaffaCakes118.exe

Filesize
398KB

MD5
a9abd03899f9d0d30033a99d60d25aa3

SHA1
2400a2ece5fc5b69a95f232f5bf72d23492d4923

SHA256
b1d58ec9e1339af39852ad1d9af8eef47abf7e92d07bb0b86b9ead3118d0821e

SHA512
41c1413be4b712008b074077d3e31cce74da613f7c7e28a21fcc62f856a5e3ee2b8078cbfe253d635ad703ef669b9c0146a4c099e96a2a33fecc41ca0323b058

Download Submit
memory/1908-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1908-13-0x0000000001ED0000-0x0000000001EE0000-memory.dmp

Filesize
64KB

Download
memory/1908-24-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1908-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-41-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2656-40-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2656-42-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2656-43-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-44-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-52-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2656-53-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2656-26-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2656-25-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2656-91-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads