d9cee97cb8974083e476024116794918b21810376d7adf74ea2b199cdc558ef6

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe
Size

200KB
MD5

3cc6c36590e1bcb780a536f42fb38cb6
SHA1

903a1aa6f8107231c5dbe3155428725b9592287d
SHA256

d9cee97cb8974083e476024116794918b21810376d7adf74ea2b199cdc558ef6
SHA512

73d53f6a15cd10bcd9d7015adafeb72caa40d1aca063b5c94771ea17de24b5c0127e08f46850ae4fd4b9dc3ac676a9b0e131a37a41cbe905b12094bdc1919f55
SSDEEP

1536:/m6x8S+dYgkG4xkpHUjZn5B2jZmhYNfZSzvMaReGnO0r:e6xNKcdn

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fwtum.exe

Executes dropped EXE 1 IoCs

pid	Process
3020	fwtum.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe
2424	3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /c"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /N"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /K"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /k"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /J"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /H"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /v"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /g"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /A"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /R"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /B"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /x"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /y"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /C"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /W"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /q"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /m"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /s"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /f"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /M"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /b"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /Q"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /U"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /j"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /p"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /S"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /O"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /F"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /r"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /D"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /T"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /u"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /h"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /d"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /P"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /Y"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /n"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /X"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /z"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /L"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /l"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /w"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /I"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /t"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /E"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /e"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /i"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /G"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /V"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /o"	fwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fwtum = "C:\\Users\\Admin\\fwtum.exe /Z"	fwtum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe
3020	fwtum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2424	3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe
3020	fwtum.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3020	2424	3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe	30
PID 2424 wrote to memory of 3020	2424	3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe	30
PID 2424 wrote to memory of 3020	2424	3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe	30
PID 2424 wrote to memory of 3020	2424	3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29
PID 3020 wrote to memory of 2424	3020	fwtum.exe	29

C:\Users\Admin\AppData\Local\Temp\3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cc6c36590e1bcb780a536f42fb38cb6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\fwtum.exe
  "C:\Users\Admin\fwtum.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\fwtum.exe

Filesize
200KB

MD5
320e79226eac65ab5e7f4013b57657f4

SHA1
dd2850e93133d42b07eb8205026df5552ef0adc3

SHA256
c8c07271cf4cd434aaf0255b29771d63f5ad62ef3056549a661862401e0d0938

SHA512
2f21639e37a7640b82ba459c1486935fbf093016507e2f792091b178780bb3f64f6c52735f78c846f394ae944c5028ef1ccb5d281b3872d798a38a6f8508fa0f

Download Submit