Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
-
Size
795KB
-
MD5
f4e56e9d5dc66cc15930abbdca5c8c8b
-
SHA1
aa00952206545af5bd8d0890bf0c7802c08c830a
-
SHA256
a424ecaea26cb2393afaafe05ca451ed818806de04fcd398ea99037a5de85bcd
-
SHA512
8f6c245daae860262d2326c37b8ff524faecf8330bcd784fc55e9af06be5151504dfb52510e3e71054acc008b819f9107a0f124609a74726c77bbefeacb66530
-
SSDEEP
24576:9Mw6ce/U26Cb5KaXKseD0nye08WIcshV/8+v:BI/U26CNZX9ektDhK+v
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3788 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS19113-SHPD-FSD21017} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS19113-SHPD-FSD21017}\\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe /m" f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS19113-SHPD-FSD21017} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS19113-SHPD-FSD21017}\\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe /m" f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3788 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3788 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1728 wrote to memory of 3788 1728 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe 82 PID 1728 wrote to memory of 3788 1728 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe 82 PID 1728 wrote to memory of 3788 1728 f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Public\Downloads\Norton\{NIS19113-SHPD-FSD21017}\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exeC:\Users\Public\Downloads\Norton\{NIS19113-SHPD-FSD21017}\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe /r2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3788
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD516e0cfc376b78bfdf0b7e7e303eec1bf
SHA1306c30b697c7c380bc778d64e7eefada1cac7dd1
SHA2569c01ff75101d80a7d17465f052ace4e0fd57f97f5d17763dc6a587c3e4748416
SHA5127bbd85303921b1772353ee5a2d6f0f882eedf27fe4f068cec7ec79b1da7145add9065e9e5b52b261265234eb4c81bcb23e1a03fcb39495bafad344a39fe2b24f
-
Filesize
1KB
MD54a93df74761a52fef314fa95576fc447
SHA1c7c0caa494a57d86d8d1534a654310e0eef25780
SHA256d3f67baf12ce1782a5e3ef7aa95bcba60d6dca94c35b3e495f8c12a447b6c172
SHA5126bdf700ad0d87c9b57fa40171e64f69b2884be50f6f8c64af4a501fa5fbb16faa30377a76567ac88db3ff2fa5e1eb03ff6305a3839944235ab8d2756d46d62bd
-
Filesize
157B
MD541eda292f851ff37e38b841bdc9a3c44
SHA1ce46fd8c8100b84e9423d266d034048d8a67cb4c
SHA25663811ed80f0a94607913e9dc2bb9dc3fb5d7f601da9a579be8cb229656f67596
SHA512dacb7eae5bbe46119ce104c6ced233f1065de0c823cdf577d8ba72fdd24913f548699d2070c01a8da7af0a287396904548dcd4aee0fed39f3286d392a2790c6d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\4bd07e1ba952c6aa9bf83a8d98c08949_c186ecc3-67e4-4d2b-8682-b6c322da87aa
Filesize54B
MD59499c2f308410e48386f58ca7afccd2e
SHA1e2ef9dec757aec938d801dd720fddc0c387da7af
SHA25687e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97
SHA512ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton Download Manager.lnk
Filesize1KB
MD566f487fa0dd43649be6cd925a187c73b
SHA149865d124e76f8b6b8556827c1f5285f6a3f42a5
SHA256a37e89834fdbbfac1e6f16bb463bc7dd2416d8cf8f9366b7b198f1ad0722d4d6
SHA51250564cf8a7ed055400c0a90d22e10e676c6544b9e5f198853f55a2ca53a45ad75134450cdf12b04420c6a3754356c7daad561fb358c9a4157ff1d6830c5dfd42
-
Filesize
1KB
MD5a6e194a7e4667b8f916116e9e6e5c4ab
SHA10729c41e8dc2706fb71878533e05d05d52481711
SHA256c733a704928575869002a40bc57b94599711a3b12c2e61993870f728d2bf514c
SHA512f34f676f6493952240d60989a04a0e070189ce9a57d5c835e5b8be548f28558bc78624617c7b50fd3d75e7f63a9816facc44ee89dae7deb46919ed3a8d350a7e
-
C:\Users\Public\Downloads\Norton\{NIS19113-SHPD-FSD21017}\f4e56e9d5dc66cc15930abbdca5c8c8b_JaffaCakes118.exe
Filesize795KB
MD5f4e56e9d5dc66cc15930abbdca5c8c8b
SHA1aa00952206545af5bd8d0890bf0c7802c08c830a
SHA256a424ecaea26cb2393afaafe05ca451ed818806de04fcd398ea99037a5de85bcd
SHA5128f6c245daae860262d2326c37b8ff524faecf8330bcd784fc55e9af06be5151504dfb52510e3e71054acc008b819f9107a0f124609a74726c77bbefeacb66530