a424ecaea26cb2393afaafe05ca451ed818806de04fcd398ea99037a5de85bcd

General

Target

f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Size

795KB
MD5

f4e56e9d5dc66cc15930abbdca5c8c8b
SHA1

aa00952206545af5bd8d0890bf0c7802c08c830a
SHA256

a424ecaea26cb2393afaafe05ca451ed818806de04fcd398ea99037a5de85bcd
SHA512

8f6c245daae860262d2326c37b8ff524faecf8330bcd784fc55e9af06be5151504dfb52510e3e71054acc008b819f9107a0f124609a74726c77bbefeacb66530
SSDEEP

24576:9Mw6ce/U26Cb5KaXKseD0nye08WIcshV/8+v:BI/U26CNZX9ektDhK+v

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3788	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS19113-SHPD-FSD21017} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS19113-SHPD-FSD21017}\\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe /m"	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS19113-SHPD-FSD21017} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS19113-SHPD-FSD21017}\\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe /m"	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3788	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3788	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3788	1728	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe	82
PID 1728 wrote to memory of 3788	1728	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe	82
PID 1728 wrote to memory of 3788	1728	f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Public\Downloads\Norton\{NIS19113-SHPD-FSD21017}\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
  C:\Users\Public\Downloads\Norton\{NIS19113-SHPD-FSD21017}\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe /r
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

Filesize
3KB

MD5
16e0cfc376b78bfdf0b7e7e303eec1bf

SHA1
306c30b697c7c380bc778d64e7eefada1cac7dd1

SHA256
9c01ff75101d80a7d17465f052ace4e0fd57f97f5d17763dc6a587c3e4748416

SHA512
7bbd85303921b1772353ee5a2d6f0f882eedf27fe4f068cec7ec79b1da7145add9065e9e5b52b261265234eb4c81bcb23e1a03fcb39495bafad344a39fe2b24f

Download Submit
C:\ProgramData\Norton\FSDUI-2024-09-25-01h41m55s.log

Filesize
1KB

MD5
4a93df74761a52fef314fa95576fc447

SHA1
c7c0caa494a57d86d8d1534a654310e0eef25780

SHA256
d3f67baf12ce1782a5e3ef7aa95bcba60d6dca94c35b3e495f8c12a447b6c172

SHA512
6bdf700ad0d87c9b57fa40171e64f69b2884be50f6f8c64af4a501fa5fbb16faa30377a76567ac88db3ff2fa5e1eb03ff6305a3839944235ab8d2756d46d62bd

Download Submit
C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
41eda292f851ff37e38b841bdc9a3c44

SHA1
ce46fd8c8100b84e9423d266d034048d8a67cb4c

SHA256
63811ed80f0a94607913e9dc2bb9dc3fb5d7f601da9a579be8cb229656f67596

SHA512
dacb7eae5bbe46119ce104c6ced233f1065de0c823cdf577d8ba72fdd24913f548699d2070c01a8da7af0a287396904548dcd4aee0fed39f3286d392a2790c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\4bd07e1ba952c6aa9bf83a8d98c08949_c186ecc3-67e4-4d2b-8682-b6c322da87aa

Filesize
54B

MD5
9499c2f308410e48386f58ca7afccd2e

SHA1
e2ef9dec757aec938d801dd720fddc0c387da7af

SHA256
87e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97

SHA512
ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton Download Manager.lnk

Filesize
1KB

MD5
66f487fa0dd43649be6cd925a187c73b

SHA1
49865d124e76f8b6b8556827c1f5285f6a3f42a5

SHA256
a37e89834fdbbfac1e6f16bb463bc7dd2416d8cf8f9366b7b198f1ad0722d4d6

SHA512
50564cf8a7ed055400c0a90d22e10e676c6544b9e5f198853f55a2ca53a45ad75134450cdf12b04420c6a3754356c7daad561fb358c9a4157ff1d6830c5dfd42

Download Submit
C:\Users\Admin\Desktop\Norton Installation Files.lnk

Filesize
1KB

MD5
a6e194a7e4667b8f916116e9e6e5c4ab

SHA1
0729c41e8dc2706fb71878533e05d05d52481711

SHA256
c733a704928575869002a40bc57b94599711a3b12c2e61993870f728d2bf514c

SHA512
f34f676f6493952240d60989a04a0e070189ce9a57d5c835e5b8be548f28558bc78624617c7b50fd3d75e7f63a9816facc44ee89dae7deb46919ed3a8d350a7e

Download Submit
C:\Users\Public\Downloads\Norton\{NIS19113-SHPD-FSD21017}\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe

Filesize
795KB

MD5
f4e56e9d5dc66cc15930abbdca5c8c8b

SHA1
aa00952206545af5bd8d0890bf0c7802c08c830a

SHA256
a424ecaea26cb2393afaafe05ca451ed818806de04fcd398ea99037a5de85bcd

SHA512
8f6c245daae860262d2326c37b8ff524faecf8330bcd784fc55e9af06be5151504dfb52510e3e71054acc008b819f9107a0f124609a74726c77bbefeacb66530

Download Submit
memory/1728-25-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/1728-0-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/1728-1-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download
memory/3788-26-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/3788-38-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3788-49-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/3788-51-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3788-50-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/3788-52-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/3788-70-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads