Analysis Overview
SHA256
3b776b91821efe686c53d5dff43dee312849131ecc6ac4ab92a3b6c4cc861071
Threat Level: Known bad
The file 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 05:05
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 05:05
Reported
2024-07-30 06:39
Platform
win7-20240708-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\musuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\powaq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\musuv.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\musuv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\powaq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\musuv.exe
"C:\Users\Admin\AppData\Local\Temp\musuv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\powaq.exe
"C:\Users\Admin\AppData\Local\Temp\powaq.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
\Users\Admin\AppData\Local\Temp\musuv.exe
| MD5 | 3d132e51ae58ada734daf9e8293d41e2 |
| SHA1 | f9e6670a780a75106c24c5a124f14c090e6d9f68 |
| SHA256 | 2e809f7dbb1a10dd3bfcddc536e9831742e1fa7553646bf4e984c7f1780dfb09 |
| SHA512 | 51618cadaa9e56044bb16bb84f3bf5e7794a1f94ebbfc3dae4fe16c8b49b066ad4581f229d197b50ff73fae650b222caa2e00518694bca3f166e8ed42b080195 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 680defa5b44421ef7593588d21774a3a |
| SHA1 | 2afe4fe922217bcff4d30da926ea316f1ef40a51 |
| SHA256 | a43794c3a6e03c1513a14d5eb1a70229957907809f0cb12bc6ad71551fa84de6 |
| SHA512 | 6b0fa160767207351c7688db84e99e28f60936ca88295f33d3c7d3060c73368f76a5c12df3ed98e2bdcfa391b41303b25fc61f7f07e492f6073d2740c1f13f23 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 40904c995a9d10389928fc505460ac0d |
| SHA1 | 8dc4b8bcc338b0309e38ac4be95112e68f6ccc0f |
| SHA256 | 1e74e35f0c0737f46cfe550b509076fe84e4286c632470515b6f305b31b9feb4 |
| SHA512 | 80a379e19cdbbdc693e739476e0639602618dfae546749a86fe6690b6528a9b4fb35f230be05fffd7fcf4a81808822bd77e21192730012381ced8f2f86b58500 |
\Users\Admin\AppData\Local\Temp\powaq.exe
| MD5 | 8b33f05e83326b0f1cfa5f764b063d1c |
| SHA1 | 2dc8d1fe911855f38c75c1e9172c414df451da5d |
| SHA256 | 03ecc0867f4da60c12007ed76da5c1943e4f44a369f29c70bcb3e99a0cc50f8e |
| SHA512 | 00aadfcf736a40fc6e1c285eed9edfa42183a6c20780d7ac9de2548a68bfa1d8018f3244fa24a352d9af31188c415be19128b4c026a4a6632f29d14ab69375cf |
memory/2764-27-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2764-26-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/2764-23-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/2764-29-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/2764-30-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/2764-31-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/2764-32-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/2764-33-0x0000000001320000-0x00000000013B9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 05:05
Reported
2024-07-30 06:39
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\eduju.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eduju.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezhoj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eduju.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ezhoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\eduju.exe
"C:\Users\Admin\AppData\Local\Temp\eduju.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ezhoj.exe
"C:\Users\Admin\AppData\Local\Temp\ezhoj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\eduju.exe
| MD5 | 94b9a30b577a3d010cf4f5db5394c6c4 |
| SHA1 | 33cb46138e3988f61938ffe6fecd586136e6d39f |
| SHA256 | bf49215da39bf7bd51c02f5ee31bd04801aa96a89accef3a9129b35dac2ba452 |
| SHA512 | 2fac45e2af85346728f45d77183fea4b7f6e216e4267f9323e0ab69c7666a05d4279c51e40057de420981f16a2573ad484b0835045446270a754eacf19969877 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 680defa5b44421ef7593588d21774a3a |
| SHA1 | 2afe4fe922217bcff4d30da926ea316f1ef40a51 |
| SHA256 | a43794c3a6e03c1513a14d5eb1a70229957907809f0cb12bc6ad71551fa84de6 |
| SHA512 | 6b0fa160767207351c7688db84e99e28f60936ca88295f33d3c7d3060c73368f76a5c12df3ed98e2bdcfa391b41303b25fc61f7f07e492f6073d2740c1f13f23 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f379ac09b25ea98ac141ead87d859ad7 |
| SHA1 | 1b0d8eec881cbc255072bd193c3ff7a8d03bd0a2 |
| SHA256 | 8d678e3c01f4940a4646087246b5a0137787956c8d98f65fdf32539074ed3ade |
| SHA512 | 1fb2d3313ddeb7a478471f5a230a7959974f9b6aac2f4515f72eab8660b35cff578b5d1c1b77913dbd3d4d2f4648ee89eff34734fcd7b80c02edc21293ce32fd |
C:\Users\Admin\AppData\Local\Temp\ezhoj.exe
| MD5 | d75b549f3f9726eea0dc31501f59bd37 |
| SHA1 | 612d585b7b6a302ba364bd42faa3724358d43388 |
| SHA256 | b80a19f0b8204d7fbfb5b9f37cc15523e03890a1e7e2c0e1f019011655c50d1d |
| SHA512 | 58f44bbfb9fa45ce91634b33c22bb9ff0d531f580f4c18af8c8efb7e835261ad7052325b81caec73ef12c7f1c2dc2eecc0e9a034264c05e09557b8f581072c68 |
memory/3228-23-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/3228-22-0x00000000000C0000-0x0000000000159000-memory.dmp
memory/3228-24-0x00000000000C0000-0x0000000000159000-memory.dmp
memory/3228-28-0x00000000000C0000-0x0000000000159000-memory.dmp
memory/3228-29-0x00000000000C0000-0x0000000000159000-memory.dmp
memory/3228-30-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/3228-31-0x00000000000C0000-0x0000000000159000-memory.dmp
memory/3228-32-0x00000000000C0000-0x0000000000159000-memory.dmp
memory/3228-33-0x00000000000C0000-0x0000000000159000-memory.dmp