Malware Analysis Report

2024-11-16 13:28

Sample ID 240730-yjp9vsvhln
Target 79cfacab10ccd2121527062f1a083880_JaffaCakes118
SHA256 05b595f4eba967c0917e59563f3c4c05a7d1ef128d5f6886c8602dc10cc5f6df
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05b595f4eba967c0917e59563f3c4c05a7d1ef128d5f6886c8602dc10cc5f6df

Threat Level: Known bad

The file 79cfacab10ccd2121527062f1a083880_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-30 19:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 19:49

Reported

2024-07-30 19:52

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2420-0-0x0000000001240000-0x0000000001275000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 d3440fbbf0de0f6f4dca96f7d487789d
SHA1 9787063a7e0ddb7f011b6752de9f7d67332a9f56
SHA256 90ec64753f7058e2a0282f7a06a3d408260bcc0d4e5e9ef879a4ad6ba1ffec82
SHA512 073f2ec4746cfe237880ef7fc6a6f5ad82777f3a8b8a782c491a324239dd999548cfe363a54c57f7272599e31b202a46b0ee08a260fffc24f923e476b6f7575d

memory/3060-16-0x0000000000D40000-0x0000000000D75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3f6059794d049dba925379be18aaf31a
SHA1 5efcb729f93d21c54f1d220be7aa0290f2c891e6
SHA256 ea934bcdc44ed95b7d9cd093302cb41fcc7defae052b9fd956bdcc31ef8b6961
SHA512 b78523460ab3c9618d8b4077b1fb3dc5a9591ed2a5cf9e9e1f935d06de8650eee4606ac3957ac1f0ee11bc03385aab5d6333276518ae7094bf33ab3cb219b433

memory/2420-10-0x0000000000990000-0x00000000009C5000-memory.dmp

memory/2420-18-0x0000000001240000-0x0000000001275000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/3060-21-0x0000000000D40000-0x0000000000D75000-memory.dmp

memory/3060-23-0x0000000000D40000-0x0000000000D75000-memory.dmp

memory/3060-30-0x0000000000D40000-0x0000000000D75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-30 19:49

Reported

2024-07-30 19:51

Platform

win10v2004-20240730-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1480-0-0x00000000002C0000-0x00000000002F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 d9289b162a515f6aa0c826205b95934b
SHA1 9eea63256e2df7ecfb8f26964a5ae2ee5b79041a
SHA256 b7cb56bec0bd1adc79c3fe0bac8aab78a25ddf53f478c191e73d793dd1f134a7
SHA512 80b7741b5b41a9944f22f60f2f8c2205fc04115e4c6134f226b127b7fbd16ac1c58f0087c70018fe5289a10595191112a03176d62142a7d25062d108777919bf

memory/5084-12-0x00000000007B0000-0x00000000007E5000-memory.dmp

memory/1480-15-0x00000000002C0000-0x00000000002F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3f6059794d049dba925379be18aaf31a
SHA1 5efcb729f93d21c54f1d220be7aa0290f2c891e6
SHA256 ea934bcdc44ed95b7d9cd093302cb41fcc7defae052b9fd956bdcc31ef8b6961
SHA512 b78523460ab3c9618d8b4077b1fb3dc5a9591ed2a5cf9e9e1f935d06de8650eee4606ac3957ac1f0ee11bc03385aab5d6333276518ae7094bf33ab3cb219b433

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/5084-18-0x00000000007B0000-0x00000000007E5000-memory.dmp

memory/5084-20-0x00000000007B0000-0x00000000007E5000-memory.dmp

memory/5084-27-0x00000000007B0000-0x00000000007E5000-memory.dmp