Analysis
-
max time kernel
141s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 01:41
Behavioral task
behavioral1
Sample
04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe
-
Size
455KB
-
MD5
04c5c992c657ec64cccfa6fbd6c372fe
-
SHA1
1b6dc7444175e47a753b5fbc5f53be6fe55a5435
-
SHA256
d3312b99d1dfbe22a25eca16d000350fddf0da8e7deabab791fa503f76d4bfb9
-
SHA512
7dceffc418676cc0fbac57216f4f77322b8cbc0d815ab3cfec0a3ac9e1fde81213622ba147196898e2c83c3c77ceb76a9d7806e5efc6fc7d9bd98b88535a9494
-
SSDEEP
12288:jwJnsKl6ZSwQ0ttoexYzAAK/lKFzeMzK6sMZeoY:esKE7vo6b/lyLzcL
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\GreenBrowser.exe = "0" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TypedURLs 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe -
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\GreenBrowser 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\GreenBrowser\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\GreenBrowser\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\ = "htmlfile" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.html\ = "htmlfile" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\GreenBrowser 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\GreenBrowser 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\ = "GreenBrowser" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\GreenBrowser\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\GreenBrowser\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\GreenBrowser\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "GreenBrowser" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\GreenBrowser 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\GreenBrowser\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "GreenBrowser" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "GreenBrowser" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtm\ = "htmlfile" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.htm\ = "htmlfile" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "GreenBrowser" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\GreenBrowser\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\GreenBrowser\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\GreenBrowser 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\GreenBrowser 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\GreenBrowser\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtm\Content Type = "text/html" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\GreenBrowser\command 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe\" \"%1\"" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\Content Type = "text/html" 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe 4432 04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04c5c992c657ec64cccfa6fbd6c372fe_JaffaCakes118.exe"1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103B
MD5df9726ea557850cf1b7bb378a3923b99
SHA1a314b554d5973249591f028a48d3bfb3b49eee4d
SHA2564ce5132133b17adee5d4f1c88430d2b9b6a1372cd3e66bb2011ecf7d5c74bc7e
SHA512966595440643c739295c42d3d5585b02d8a9ad7f9c0322c0ee6754af1dfb7d70657337e0ce2938f991bb552a472a65b9838b4dc6fc03c750142d1f723006a0f9
-
Filesize
270B
MD5bf2d5fd6e174e0b5dac7a69ccca8b1ab
SHA13ea5e6209932039641ac88f14618667849336436
SHA256dfffbd3e5e462a03c9d76d20a4a5a01004f04aa65a4efa5071e37aaa2aec574f
SHA512e8becc4c647675b8e784dc57abc1cc55e752103d9caa8affd2a5c4058efaacc7840aa9a4be0e86d2c36ca9a30f595d516ff09028c6acea2c8ece723deafbd895
-
Filesize
305B
MD5f7e652c7d5a328e56d25c37f075b9590
SHA1078d16b574fe4478f291a88e1377e270074568dd
SHA25658ef07ae4a636f151ffcb54d00715efb996238f151f77e0efe4f0a92bf0d4ef4
SHA51232358274f965fe4962d93ff8f985e839e1461b97b6f4a9f891410daa76b13e342276d621f4600e8f00c7db2cad1930e1519b45939a7b152eeb7e62293c653832
-
Filesize
53B
MD59fff23ec9ae1a8d6f4ec173e8f8af4c0
SHA17792598607845d98c5952507a9cf4d3026544183
SHA256e58516e06aa2d4435df290550ac6d93a62f7c72b48e6f0bd7413fd8766d914ab
SHA512978c772ca1ea550dd518227494e6571c0d3747a5c628ef091d5b41ac8a2403b82ede1377d649d5acb046146cee1bd30a621b0064612180799ddecf7196e60d0e
-
Filesize
234B
MD599b6802de6261b6498d8a6fa9c36831e
SHA1588c46a2892dff9e98b266757e2d69ef1a1ec51f
SHA256ba9f5d1ede0c880903210151460a7d35c091cdc26f2be95d49133e64c909b76d
SHA51205c51d48241950447c90b5c1756fab87956916303f5df9d9ce5a37be8f624f028d7899c25c0bd655d8fa9fce44a6a4d61a1ad4d6e4fdf5df781d3066b15e4066