f60a3afd41d56696492565a88d6dab19eedfb4a0ec13f153e37af4548c200acd

General

Target

ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe
Size

809KB
MD5

ea7937cc603e11f852328f9de4de9a6d
SHA1

b3b3e3a122ff144853c834b2d6dcddaed90293df
SHA256

f60a3afd41d56696492565a88d6dab19eedfb4a0ec13f153e37af4548c200acd
SHA512

28337a5a767a8472e8962e17b9dbe7d6ad000cacc00fc774bcafe027256570544e898f9a2ae2924152b05f3ff6fffd5bbd6d292ff6d8d7cb9fa243e67af79722
SSDEEP

12288:+48OUL48hA1YViCkS0d5EOc27QkzU44ODFQXf7dL32cnBpoz2vyaE6qRRe3OT849:xUDv8R5EOlEkY44OO5Lmz2KeWkkIRc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2596	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{N360620009-SHPD-FSD25037} = "C:\\Users\\Public\\Downloads\\Norton\\{N360620009-SHPD-FSD25037}\\ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe /m"	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{N360620009-SHPD-FSD25037} = "C:\\Users\\Public\\Downloads\\Norton\\{N360620009-SHPD-FSD25037}\\ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe /m"	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2596	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2596	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2596	644	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe	82
PID 644 wrote to memory of 2596	644	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe	82
PID 644 wrote to memory of 2596	644	ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Public\Downloads\Norton\{N360620009-SHPD-FSD25037}\ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe
  C:\Users\Public\Downloads\Norton\{N360620009-SHPD-FSD25037}\ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe /r
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

Filesize
2KB

MD5
98304f8dc8d6b983b2ccb5649aa2cf18

SHA1
59be9939310795e1dc57e288cd9295f6478939e9

SHA256
0616a4187a62cb58064507d40aa99944e910e5d6b696035e2a36d1ddf901a242

SHA512
e7b71365734d0b0e4aa9472cdbe7ee254ee9b40d1268262c61ab8f74c1c92a91828e5ac7e61fe925f1ec421d2f368690efab925d4efda7ac15f7ecb7955376c1

Download Submit
C:\ProgramData\Norton\FSDUI-2024-09-19-03h09m46s.log

Filesize
1KB

MD5
e8e5c0e082023723032b8be16c8b930d

SHA1
7c0e2510464132bb445e5e6eb9b91c27725f1a9b

SHA256
d3b4bda5dada29231b43b162e5057bd9ad7039472e709926c38a16e4cc5e2835

SHA512
5281c3ae07e3757fd86f1ab823c6055eb9d6c7b481f99c60ef3cc3a2bd004a6d35f236fd42a93855b115b54f048e90941ae3850531b4654fe53366252526919e

Download Submit
C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
0ff3aaedf9de38c0c68b5c927b04ef46

SHA1
20fd4552410b3fef0c373aa6be2ea2e88f659035

SHA256
1265fb557bd31b60e69a90277b796c0955a80e42743971dfab69c7b7c53bf4b9

SHA512
5d7e32c2495ec44b76aec297d7fd7521479b47732c15c9337b371ad240c25017a572cfa861f30ef828ba9d94c4e80dfb57927372823adc59e4e6b5352aa768b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\4bd07e1ba952c6aa9bf83a8d98c08949_1b74ca46-c49b-4c52-a57d-8cd1ff70c625

Filesize
54B

MD5
9499c2f308410e48386f58ca7afccd2e

SHA1
e2ef9dec757aec938d801dd720fddc0c387da7af

SHA256
87e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97

SHA512
ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton Download Manager.lnk

Filesize
1KB

MD5
0fc45cac61e6ec1f92a74deaebd7a484

SHA1
efe06551ec7fc59f320d9a548c30e9527a108157

SHA256
684e2473f6c32faad3e9714150f2072e46839b0729df16d914bc03f6b9820369

SHA512
8553f626240322ce87e338df7eb3299ec4dfa51a066592cc5e9923d7fb82fecccee8aa55abfea5968f8b531418500295983b506367eaf9b51fd4fd6eb9c78321

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton Installation Files.lnk

Filesize
1KB

MD5
4afdc54d17f2773ad04c0b891ea6820f

SHA1
67dec3b371cbd44e421564125e0b05757fc096b8

SHA256
a43975961e03cac7b7c53fe0b7ee2a3f006f7554cc2e67d74e5c1a20351cf5f7

SHA512
7eb88987700eb7783f268e183606cb92a8cb0cd6ca8432401a7d8990afb8ee06c7ed8325bcd7e471bbefad84fa94d85ccc7377b3bca918a20d026345a9c8051d

Download Submit
C:\Users\Public\Downloads\Norton\{N360620009-SHPD-FSD25037}\ea7937cc603e11f852328f9de4de9a6d_JaffaCakes118.exe

Filesize
809KB

MD5
ea7937cc603e11f852328f9de4de9a6d

SHA1
b3b3e3a122ff144853c834b2d6dcddaed90293df

SHA256
f60a3afd41d56696492565a88d6dab19eedfb4a0ec13f153e37af4548c200acd

SHA512
28337a5a767a8472e8962e17b9dbe7d6ad000cacc00fc774bcafe027256570544e898f9a2ae2924152b05f3ff6fffd5bbd6d292ff6d8d7cb9fa243e67af79722

Download Submit
memory/644-26-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/644-0-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/644-1-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/2596-38-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2596-24-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/2596-56-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/2596-58-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2596-57-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads