Analysis Overview
SHA256
e405375bce9a6dd921531f4b69303ab2f934d4bd31b1739062501da5cce96901
Threat Level: Known bad
The file 7918f09103a1c2639f4981960d9de8cd_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 18:14
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 18:14
Reported
2024-07-27 18:19
Platform
win7-20240705-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dugul.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yvkocu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\woapm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dugul.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dugul.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yvkocu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\woapm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dugul.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yvkocu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\dugul.exe
"C:\Users\Admin\AppData\Local\Temp\dugul.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\yvkocu.exe
"C:\Users\Admin\AppData\Local\Temp\yvkocu.exe" OK
C:\Users\Admin\AppData\Local\Temp\woapm.exe
"C:\Users\Admin\AppData\Local\Temp\woapm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2312-1-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dugul.exe
| MD5 | db6d814e5338b44794a9a0b0a9d2159a |
| SHA1 | 41ebb2fbb47c8d0c5dc064ba740ade57789334f3 |
| SHA256 | 9671144b20e3f896772d9a379d570dbb6320e9c700bb4535da870a190b520f5a |
| SHA512 | 92245a4723198daa936dde4f36a448dfe012fa89221653c7edf5b2fb1f8060310360c650782a395eda72c477a8ce177a875a06a092d46661dd2afb4c7c130986 |
memory/2312-21-0x0000000002490000-0x00000000024F8000-memory.dmp
memory/2312-20-0x0000000002490000-0x00000000024F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 588c998fe8ca8671bd2b4ffbe8e4788a |
| SHA1 | 60be291ad01a2e656b18f68913ae3e7c0dd45145 |
| SHA256 | 4ec633f06713ae525698ccd8542daa7da30482e338fa024fefc0c73f38fae349 |
| SHA512 | 631b5efbfa1c6a7282cf619212b3eeb268d6e0ec3ce73cd150f35536213b0b50b3562eaf17e3af96dcbf7e8c3e16b264f96db333d009216fd9461a6a65e133b0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e797f35bbb942da554398f3bb2af21e1 |
| SHA1 | 437eb1503fc99d320c8d63bc4082b3d88f955d06 |
| SHA256 | 642fee2ae1516dea36077767ab99220c960b41c6ed797e55498748161da87900 |
| SHA512 | 74843d9f71f6486b74eb1c85eda5575f030630ba130ccfc454760fcca60155d7f7824cfbf19f0b0c2e78f0db0e1d12fc2275773f85faa70fed0ce7ce91b1a3f7 |
memory/2312-23-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2944-22-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2944-34-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yvkocu.exe
| MD5 | fc3bb2662d615feb08bbfa4eae875f54 |
| SHA1 | 41f33b452f3d59638218d24e806b14ab72d0af91 |
| SHA256 | e8815ddc5c67adfa02505aa89ed2d339111aecbe43ceacbfaa76d43e085337fc |
| SHA512 | 4d0d66db2730e2d7e83d267f1e8709a4aaec474ffaa7ab3186675cd7a075a068a81d7cd49028f7a1448563ea39396782135bcfa234f17d3b507d1db9eb34f4d1 |
memory/2680-35-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2680-52-0x0000000003A30000-0x0000000003AD0000-memory.dmp
memory/2680-51-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2792-53-0x0000000000050000-0x00000000000F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 9c09e02f8b6546ba408a5f7259335f69 |
| SHA1 | f2c146d2dd5046084b58c3fb8adefc411c82b519 |
| SHA256 | ad7ed3fa92da04f5bc956a59c7d8faffdb132f93b9341147b8f840d80675380d |
| SHA512 | 8e17301a0c3f1aa22ddd2158d739a667d70c53a2dbec897de4336815bd814463c3d604e79f1a7e531cd3630d8e744b4847221b5e8be94693db0f4902939e7065 |
C:\Users\Admin\AppData\Local\Temp\woapm.exe
| MD5 | 6b57de47b1efdb93671fbd2617d6fe9d |
| SHA1 | 40d5b7121c58077369e65b45850138ff91840f81 |
| SHA256 | aa13cfbc7cae1c1ad664f59032b177e9d0309d0a09283c8673994c69e4d54247 |
| SHA512 | d06c3f4eec4b82b05a75e9d0a2574dabb60623b3ed88b69abe5575e6a906fd796231efc3daa049315cc9c5d86fafdc8cc7e39c8d1fc756a74a92742cc8d1e854 |
memory/2792-57-0x0000000000050000-0x00000000000F0000-memory.dmp
memory/2792-58-0x0000000000050000-0x00000000000F0000-memory.dmp
memory/2792-59-0x0000000000050000-0x00000000000F0000-memory.dmp
memory/2792-60-0x0000000000050000-0x00000000000F0000-memory.dmp
memory/2792-61-0x0000000000050000-0x00000000000F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 18:14
Reported
2024-07-27 18:19
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ozcai.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ozcai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ijroo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ijroo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ozcai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ozcai.exe
"C:\Users\Admin\AppData\Local\Temp\ozcai.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe
"C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe" OK
C:\Users\Admin\AppData\Local\Temp\ijroo.exe
"C:\Users\Admin\AppData\Local\Temp\ijroo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/1900-0-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ozcai.exe
| MD5 | 0d18c840676b2e7a8440e3d3552d0c4c |
| SHA1 | 7b3a9212d21c72eb242fc1815d2f8c37b83e6ab5 |
| SHA256 | 35baae570f9f7a94791276a56d127b3bba00a14171a196bed8bb4433d034d96d |
| SHA512 | 6daed6bab675525ca69a8d20d0e0c5e8e5b450591af649029e3a1bd0e7907eaba26f334cfccec531150491aebac78cfa4b92ca589d26ad341073a0a7d5bd8436 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 5b69ae1d2d3fa2540aa18a851a3b5a72 |
| SHA1 | 34d03b7c707e51eee53f8d45a2f7ea33947f1353 |
| SHA256 | fdf5dcc279a68ededdf299dc080608460e62a1b194f87e1f1d725da6ba5dfbeb |
| SHA512 | 3db96361e29efa0830b1441a0efc536d98ded4b508e952ee72d7adc5d3bc9638285c6ffa3119361ad65d50b1728e2c1429f530a2b7f5683eb102ba9295160756 |
memory/316-9-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1900-15-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 588c998fe8ca8671bd2b4ffbe8e4788a |
| SHA1 | 60be291ad01a2e656b18f68913ae3e7c0dd45145 |
| SHA256 | 4ec633f06713ae525698ccd8542daa7da30482e338fa024fefc0c73f38fae349 |
| SHA512 | 631b5efbfa1c6a7282cf619212b3eeb268d6e0ec3ce73cd150f35536213b0b50b3562eaf17e3af96dcbf7e8c3e16b264f96db333d009216fd9461a6a65e133b0 |
C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe
| MD5 | 507aaf3e682e2bc06f93b0dd482c98f1 |
| SHA1 | b6a2c351e446ef49876dc9339460319b09dbe293 |
| SHA256 | 02ad682ac37f912605aeaeb34f5c37beaefcea3718ed337c249b8c2b755922cc |
| SHA512 | 81fba914968b7dcc6eaeb1242474e0995230c2558f38d7c2f7dbd9ce4ced6732027998e8d529c23f2c780afef7cfa1ac30179e18a6435ff5db0da9f486d8bdf5 |
memory/1984-25-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/316-26-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ijroo.exe
| MD5 | 2856c347173ae1bc1fac7fa366812699 |
| SHA1 | 2243bfbb223359ca37d85f9e12c23168e3fae6aa |
| SHA256 | 84e22c2ab667235974f7550774198fa64476fa1f8197be758397ae130bf7b928 |
| SHA512 | 2073c30a9aee2728c6771a81e02d5b551906bd614cee57bbc6212e09f54dd491efdf616000b5844cc07bb489a8039555c3792ce6b8cf34d1c6bb726f732cd06c |
memory/2384-37-0x0000000000BF0000-0x0000000000C90000-memory.dmp
memory/1984-39-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 4bb66c01534eab182b3256f1e6fb4461 |
| SHA1 | f27d7e14bc4a8c330a82ba213891082b8fcbd175 |
| SHA256 | 660ea795cd98df2d439f0c5ef9c9ecf8203af7fd05f0f0925eb5c7d2aff33f52 |
| SHA512 | c21402502f629c870e20d25ca59e7ed5330d6ad52dbf165c26ce434466309fc8f9325886c51b37c7f0c4bc17efacb2e24ac180cd95066b04790a1a6ca6301b5e |
memory/2384-42-0x0000000000BF0000-0x0000000000C90000-memory.dmp
memory/2384-43-0x0000000000BF0000-0x0000000000C90000-memory.dmp
memory/2384-44-0x0000000000BF0000-0x0000000000C90000-memory.dmp
memory/2384-45-0x0000000000BF0000-0x0000000000C90000-memory.dmp