87a4d6a46713a52c343deff311c0bf3209b3c1e051357100a686fc036b5e1ac4

General

Target

a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
Size

269KB
MD5

a1d05b81f9dfab937c1db86773780558
SHA1

cad886f1bdf1b9acb6ab47c6519a65292ab84d12
SHA256

87a4d6a46713a52c343deff311c0bf3209b3c1e051357100a686fc036b5e1ac4
SHA512

b86b63df3440612da77d42833ee35a894fb9d3e94b13ec5c2d900951ddbceeeb5053fe28ea454cb4b30dd1f32a486d48c479cf27f519c3d50d08f1cf2f64512f
SSDEEP

6144:QfGIxXCNTAtHPKQwPPQxpIl+GvCrgsADwS01+b0:sMKEHQwvCrgft08b0

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3188	aadWamExtension.exe

Executes dropped EXE 8 IoCs

pid	Process
3188	aadWamExtension.exe
2632	AboveLockAppHost.exe
2584	acledit.exe
5060	apprepapi.exe
4080	advapi32res.exe
2932	avrt.exe
4444	aadauthhelper.exe
3860	activeds.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aadWamExtension.exe	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aadWamExtension.exe	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AboveLockAppHost.nls	AboveLockAppHost.exe
File opened for modification	C:\Windows\SysWOW64\apprepapi.nls	apprepapi.exe
File created	C:\Windows\SysWOW64\aadauthhelper.exe	avrt.exe
File created	C:\Windows\SysWOW64\AboveLockAppHost.exe	aadWamExtension.exe
File opened for modification	C:\Windows\SysWOW64\AboveLockAppHost.nls	AboveLockAppHost.exe
File created	C:\Windows\SysWOW64\acledit.exe	AboveLockAppHost.exe
File created	C:\Windows\SysWOW64\advapi32res.exe	apprepapi.exe
File created	C:\Windows\SysWOW64\avrt.nls	avrt.exe
File opened for modification	C:\Windows\SysWOW64\avrt.nls	avrt.exe
File created	C:\Windows\SysWOW64\aadWamExtension.nls	aadWamExtension.exe
File created	C:\Windows\SysWOW64\acledit.nls	acledit.exe
File created	C:\Windows\SysWOW64\apprepapi.nls	apprepapi.exe
File opened for modification	C:\Windows\SysWOW64\advapi32res.nls	advapi32res.exe
File created	C:\Windows\SysWOW64\activeds.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\aadauthhelper.nls	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\aadWamExtension.nls	aadWamExtension.exe
File opened for modification	C:\Windows\SysWOW64\acledit.nls	acledit.exe
File created	C:\Windows\SysWOW64\apprepapi.exe	acledit.exe
File created	C:\Windows\SysWOW64\advapi32res.nls	advapi32res.exe
File created	C:\Windows\SysWOW64\avrt.exe	advapi32res.exe
File created	C:\Windows\SysWOW64\aadauthhelper.nls	aadauthhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apprepapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	activeds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acledit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advapi32res.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aadauthhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aadWamExtension.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AboveLockAppHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3188	2064	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe	86
PID 2064 wrote to memory of 3188	2064	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe	86
PID 2064 wrote to memory of 3188	2064	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe	86
PID 3188 wrote to memory of 2632	3188	aadWamExtension.exe	93
PID 3188 wrote to memory of 2632	3188	aadWamExtension.exe	93
PID 3188 wrote to memory of 2632	3188	aadWamExtension.exe	93
PID 2632 wrote to memory of 2584	2632	AboveLockAppHost.exe	97
PID 2632 wrote to memory of 2584	2632	AboveLockAppHost.exe	97
PID 2632 wrote to memory of 2584	2632	AboveLockAppHost.exe	97
PID 2584 wrote to memory of 5060	2584	acledit.exe	101
PID 2584 wrote to memory of 5060	2584	acledit.exe	101
PID 2584 wrote to memory of 5060	2584	acledit.exe	101
PID 5060 wrote to memory of 4080	5060	apprepapi.exe	103
PID 5060 wrote to memory of 4080	5060	apprepapi.exe	103
PID 5060 wrote to memory of 4080	5060	apprepapi.exe	103
PID 4080 wrote to memory of 2932	4080	advapi32res.exe	105
PID 4080 wrote to memory of 2932	4080	advapi32res.exe	105
PID 4080 wrote to memory of 2932	4080	advapi32res.exe	105
PID 2932 wrote to memory of 4444	2932	avrt.exe	113
PID 2932 wrote to memory of 4444	2932	avrt.exe	113
PID 2932 wrote to memory of 4444	2932	avrt.exe	113
PID 4444 wrote to memory of 3860	4444	aadauthhelper.exe	117
PID 4444 wrote to memory of 3860	4444	aadauthhelper.exe	117
PID 4444 wrote to memory of 3860	4444	aadauthhelper.exe	117

C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\aadWamExtension.exe
  C:\Windows\system32\aadWamExtension.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\AboveLockAppHost.exe
    C:\Windows\system32\AboveLockAppHost.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m3188:C:\Windows\SysWOW64\aadWamExtension.exe -sC:\Windows\system32
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\acledit.exe
      C:\Windows\system32\acledit.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m3188:C:\Windows\SysWOW64\aadWamExtension.exe -sC:\Windows\system32 -m2632:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\apprepapi.exe
        
        C:\Windows\system32\apprepapi.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m3188:C:\Windows\SysWOW64\aadWamExtension.exe -sC:\Windows\system32 -m2632:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m2584:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Windows\SysWOW64\advapi32res.exe
        
        C:\Windows\system32\advapi32res.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m3188:C:\Windows\SysWOW64\aadWamExtension.exe -sC:\Windows\system32 -m2632:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m2584:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m5060:C:\Windows\SysWOW64\apprepapi.exe -sC:\Windows\system32
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\avrt.exe
        
        C:\Windows\system32\avrt.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m3188:C:\Windows\SysWOW64\aadWamExtension.exe -sC:\Windows\system32 -m2632:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m2584:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m5060:C:\Windows\SysWOW64\apprepapi.exe -sC:\Windows\system32 -m4080:C:\Windows\SysWOW64\advapi32res.exe -sC:\Windows\system32
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\aadauthhelper.exe
        
        C:\Windows\system32\aadauthhelper.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m3188:C:\Windows\SysWOW64\aadWamExtension.exe -sC:\Windows\system32 -m2632:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m2584:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m5060:C:\Windows\SysWOW64\apprepapi.exe -sC:\Windows\system32 -m4080:C:\Windows\SysWOW64\advapi32res.exe -sC:\Windows\system32 -m2932:C:\Windows\SysWOW64\avrt.exe -sC:\Windows\system32
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m2064:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m3188:C:\Windows\SysWOW64\aadWamExtension.exe -sC:\Windows\system32 -m2632:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m2584:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m5060:C:\Windows\SysWOW64\apprepapi.exe -sC:\Windows\system32 -m4080:C:\Windows\SysWOW64\advapi32res.exe -sC:\Windows\system32 -m2932:C:\Windows\SysWOW64\avrt.exe -sC:\Windows\system32 -m4444:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.nls

Filesize
96B

MD5
6d02b2e9a891bee4855e6eb7ce7f8491

SHA1
833e4fe8309bff15ad3963ab5c7a8ca50876b501

SHA256
23e4b1908a1d897c0da494cd0fa69fb272d723ff2b2af7412d5b3a7a6e2d5da8

SHA512
e32c44afb487af9632ed59fc95c781c78217dcdba4942a9d51e06e317543504682bdb2cb74add1f97a6033a87c28cf7048d261c17eeaec083169ea9aaba55412

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.nls

Filesize
96B

MD5
33982dba962763ba5370b98d4e19d1a0

SHA1
e555896f291eb3c41052d07601858f661fdab7c7

SHA256
217a6cbd328f14e745ec2bf3dc8176c9ce57676211b7452c94f4b1b023687499

SHA512
6a85dfc76387913de1d8922ff992c9a049db8d3094301bb5215f2f288839fb2199986efd433c6d31711cfe07bc1741ba71f5430ad623bf3c796ca409f71c217d

Download Submit
C:\Windows\SysWOW64\aadWamExtension.exe

Filesize
269KB

MD5
a1d05b81f9dfab937c1db86773780558

SHA1
cad886f1bdf1b9acb6ab47c6519a65292ab84d12

SHA256
87a4d6a46713a52c343deff311c0bf3209b3c1e051357100a686fc036b5e1ac4

SHA512
b86b63df3440612da77d42833ee35a894fb9d3e94b13ec5c2d900951ddbceeeb5053fe28ea454cb4b30dd1f32a486d48c479cf27f519c3d50d08f1cf2f64512f

Download Submit
C:\Windows\SysWOW64\aadWamExtension.nls

Filesize
96B

MD5
9766015f389951b5f00a0cee89a5cee8

SHA1
0bb663ef56342655607652ddc96f8b82d75ba434

SHA256
f0a1388acb5c95957dff2ae7167f2e20b3bd75e91d2472da1fbbc17a1f1d26c3

SHA512
d1e8955a8698833ed0b8b4ec940c6b5fde11b2ab4e49f588bd11b8e3567e6fefc5d8967da601498b77080f81b42418d3889364ab652743fcbab330617aff8c4a

Download Submit
C:\Windows\SysWOW64\acledit.nls

Filesize
96B

MD5
f05a34a8c2b5ecd5cd9091be90e844ad

SHA1
60e2bb5e572d2baed1e67513f29310e39f555224

SHA256
a67a7939be53e7a0b8cdec93f8c8f5ae46bf414b35e1c0f68353f30280d95da3

SHA512
4661bc275edc745bf3e55990a35d0a17768fd85968ce8befcbcb4359eec0eed3dbfc434e2547a46b80dd0a61ba0336ef93d38a58d976dd472c470c75699ee863

Download Submit
C:\Windows\SysWOW64\advapi32res.nls

Filesize
96B

MD5
31b48113088ce57fa89402c04de5205c

SHA1
c367f1c2d0ccf96a0a00ae36dd5bf4747836cd8c

SHA256
d90dc2d2b59c7cc50661200e88b77bb0b2bcf26c50587bf32f48cc60c0e68336

SHA512
3bed2a1c222b4caa28aee66837e0ce021e478337cd54152eda7165c5a6aa0dc9d740615a8442364a53ea66950f8525da227b3869ff4bbbf9c58dd21a3344bbba

Download Submit
C:\Windows\SysWOW64\apprepapi.nls

Filesize
96B

MD5
176100ac1b9373375e4cfee44bba0396

SHA1
3b76129246f0dc3d5584653d52be4ac49bb264f7

SHA256
5591151f043da561401adb2b2c69558bf2b4593f7cf2aa52ec72cd039cdb9b26

SHA512
5eba45e4037c811f1abc0d0821cbbc67b6f5bb237efefac97bd3272c41ab1136cb153c8bafec147340fc0d5faf38790385bb01dbf07a57b6ea161d281cf7a7de

Download Submit
C:\Windows\SysWOW64\avrt.nls

Filesize
96B

MD5
c377721b45063b4bfe55fc2a90c3d44a

SHA1
236d70b4e9d4437d695cb6d63c68c5c58c0e8421

SHA256
de3e1a8aaabad9e76fd1b939ad82f24407aecf50db15c19161dbbe03c0fc600b

SHA512
ba6c299f81053a8eeaf199236743f81ae5d4547e7583fcda476bf76bfb11a2cdfa08db8110b072d834f512e23c0c7aba829d1951857a7c666be6bb93a11c9a0f

Download Submit
memory/2064-10-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2064-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2064-2-0x000000000048C000-0x00000000004CE000-memory.dmp

Filesize
264KB

Download
memory/2064-1-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2584-35-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2584-46-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2632-24-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2632-34-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2632-20-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2932-85-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2932-76-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2932-74-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3188-21-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3188-9-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4080-63-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4080-73-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4080-61-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4444-89-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4444-91-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4444-93-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4444-103-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5060-60-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5060-50-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5060-47-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing