Analysis Overview
SHA256
05b595f4eba967c0917e59563f3c4c05a7d1ef128d5f6886c8602dc10cc5f6df
Threat Level: Known bad
The file 79cfacab10ccd2121527062f1a083880_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-30 19:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-30 19:49
Reported
2024-07-30 19:52
Platform
win7-20240708-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2420-0-0x0000000001240000-0x0000000001275000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | d3440fbbf0de0f6f4dca96f7d487789d |
| SHA1 | 9787063a7e0ddb7f011b6752de9f7d67332a9f56 |
| SHA256 | 90ec64753f7058e2a0282f7a06a3d408260bcc0d4e5e9ef879a4ad6ba1ffec82 |
| SHA512 | 073f2ec4746cfe237880ef7fc6a6f5ad82777f3a8b8a782c491a324239dd999548cfe363a54c57f7272599e31b202a46b0ee08a260fffc24f923e476b6f7575d |
memory/3060-16-0x0000000000D40000-0x0000000000D75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3f6059794d049dba925379be18aaf31a |
| SHA1 | 5efcb729f93d21c54f1d220be7aa0290f2c891e6 |
| SHA256 | ea934bcdc44ed95b7d9cd093302cb41fcc7defae052b9fd956bdcc31ef8b6961 |
| SHA512 | b78523460ab3c9618d8b4077b1fb3dc5a9591ed2a5cf9e9e1f935d06de8650eee4606ac3957ac1f0ee11bc03385aab5d6333276518ae7094bf33ab3cb219b433 |
memory/2420-10-0x0000000000990000-0x00000000009C5000-memory.dmp
memory/2420-18-0x0000000001240000-0x0000000001275000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55e10a9af74d3f3fa5ae3cb7ff5ad9d4 |
| SHA1 | 449221fd8d7196a54de2bd583625d8d1b64db56a |
| SHA256 | a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1 |
| SHA512 | 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a |
memory/3060-21-0x0000000000D40000-0x0000000000D75000-memory.dmp
memory/3060-23-0x0000000000D40000-0x0000000000D75000-memory.dmp
memory/3060-30-0x0000000000D40000-0x0000000000D75000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-30 19:49
Reported
2024-07-30 19:51
Platform
win10v2004-20240730-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1480 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1480 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1480 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1480 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1480 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79cfacab10ccd2121527062f1a083880_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1480-0-0x00000000002C0000-0x00000000002F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | d9289b162a515f6aa0c826205b95934b |
| SHA1 | 9eea63256e2df7ecfb8f26964a5ae2ee5b79041a |
| SHA256 | b7cb56bec0bd1adc79c3fe0bac8aab78a25ddf53f478c191e73d793dd1f134a7 |
| SHA512 | 80b7741b5b41a9944f22f60f2f8c2205fc04115e4c6134f226b127b7fbd16ac1c58f0087c70018fe5289a10595191112a03176d62142a7d25062d108777919bf |
memory/5084-12-0x00000000007B0000-0x00000000007E5000-memory.dmp
memory/1480-15-0x00000000002C0000-0x00000000002F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3f6059794d049dba925379be18aaf31a |
| SHA1 | 5efcb729f93d21c54f1d220be7aa0290f2c891e6 |
| SHA256 | ea934bcdc44ed95b7d9cd093302cb41fcc7defae052b9fd956bdcc31ef8b6961 |
| SHA512 | b78523460ab3c9618d8b4077b1fb3dc5a9591ed2a5cf9e9e1f935d06de8650eee4606ac3957ac1f0ee11bc03385aab5d6333276518ae7094bf33ab3cb219b433 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55e10a9af74d3f3fa5ae3cb7ff5ad9d4 |
| SHA1 | 449221fd8d7196a54de2bd583625d8d1b64db56a |
| SHA256 | a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1 |
| SHA512 | 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a |
memory/5084-18-0x00000000007B0000-0x00000000007E5000-memory.dmp
memory/5084-20-0x00000000007B0000-0x00000000007E5000-memory.dmp
memory/5084-27-0x00000000007B0000-0x00000000007E5000-memory.dmp