Analysis Overview
SHA256
4424fa680a988afb5defe2afc22eb4b2d367823de222d0708502c957e4e0d1ed
Threat Level: Known bad
The file 7b265e33408651503993728ef02b990d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
ASPack v2.12-2.42
Deletes itself
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 03:50
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 03:50
Reported
2024-07-31 03:52
Platform
win7-20240704-en
Max time kernel
149s
Max time network
82s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vaety.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xygow.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vaety.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vaety.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xygow.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vaety.exe
"C:\Users\Admin\AppData\Local\Temp\vaety.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\xygow.exe
"C:\Users\Admin\AppData\Local\Temp\xygow.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/3012-0-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\vaety.exe
| MD5 | a83b31f62ae8f5b29a33b63c84fcc693 |
| SHA1 | c87c4efb643e2f5261c71405d85215e804cedec2 |
| SHA256 | ace7adc9616be32a4f8162a3c7604cae021200ee1f3b217449e6bcaf6c1c0f27 |
| SHA512 | 47c123f4d9b33ef98ad4022f17f46522821d2996ecaea43e41e1207ee4521663c6122ab2fbe05d01d43831d328d63c9573220899174054e1085f1b48d650ac3b |
memory/3012-6-0x0000000002740000-0x00000000027A5000-memory.dmp
memory/3012-13-0x0000000002740000-0x00000000027A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 16c800767fa0b88587402e883ff60426 |
| SHA1 | b82215a563de8c85af9f9acb2566cf9695b5bafa |
| SHA256 | d83b393b3ff1b8e84c7348f9f1e5a147145fea1af6a7c9ab4659799358974d1f |
| SHA512 | 1517df0b00992237d755be140bf0d80912792fe9deda0fa33cd321a73e1808bf61586d3472c7dadb470f61e9608038448c2ff621eedc3ea16b403bec20faaf35 |
memory/3012-21-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 49f667c12c0cdd6b440ed9afb05f80b1 |
| SHA1 | 4a1c69ee30fc95e143fe471ac582edb6b678f914 |
| SHA256 | ed798e35bfaa4ff0d2077fc7fa03544ad3e6899b8696f71d17d8e6f88e982fbb |
| SHA512 | 324e9dbc4964d0cf3f45b51e1757fc0f9c6d700473234c31c2eefce7ce5c39471c4a8b970af29727fa54e53cf6be5c6fa26f712f81eb2fed7d8bbc9ab8e722be |
\Users\Admin\AppData\Local\Temp\xygow.exe
| MD5 | 78ca289fb4a9fc8abb931cd989e34c2e |
| SHA1 | 6ac1041b7a1347c0f562bffa3257302c8dca6288 |
| SHA256 | 01066a77d9a5341ce548f2e941c42d8a41c586e935537621998283e4142b8102 |
| SHA512 | 53e05f66c40ab0dc5f1f4b2422adb62cffdb083ea313f937bd18eb54c452a8bc7bc87b1ec7d9616300ad273aae4c160095e45b0eebb4f7b9a6d33090fc4d18ff |
memory/2424-29-0x00000000031B0000-0x0000000003244000-memory.dmp
memory/2196-35-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2196-34-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2196-32-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2424-31-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2196-33-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2196-38-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2196-39-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2196-40-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2196-41-0x0000000001220000-0x00000000012B4000-memory.dmp
memory/2196-42-0x0000000001220000-0x00000000012B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 03:50
Reported
2024-07-31 03:52
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\byogg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\byogg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kavoq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kavoq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\byogg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\byogg.exe
"C:\Users\Admin\AppData\Local\Temp\byogg.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kavoq.exe
"C:\Users\Admin\AppData\Local\Temp\kavoq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4712-0-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\byogg.exe
| MD5 | f3922e96907358ca62f13f3b69b77587 |
| SHA1 | 65131e06e18715dca08c2c7c04da5463f8ec0237 |
| SHA256 | 7ff99245ea65d5802e2b982449b10c8ee7c688e73fa144600906e80a64a6fb05 |
| SHA512 | 4f8418c7d549195ceff9cca2d81967285f9e84b1745209b15e59859c8becaccd00829c52e60261c81816ca899e1445a2c03db6622db0004f747526370c9a7994 |
memory/808-12-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4712-14-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 16c800767fa0b88587402e883ff60426 |
| SHA1 | b82215a563de8c85af9f9acb2566cf9695b5bafa |
| SHA256 | d83b393b3ff1b8e84c7348f9f1e5a147145fea1af6a7c9ab4659799358974d1f |
| SHA512 | 1517df0b00992237d755be140bf0d80912792fe9deda0fa33cd321a73e1808bf61586d3472c7dadb470f61e9608038448c2ff621eedc3ea16b403bec20faaf35 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b103e3b934175942ebec0f984a60c1db |
| SHA1 | b29161a0ab43020f03c3658be7f6babba4914057 |
| SHA256 | 8a441fc07c9e4c0b595390940508204f183a70efe8c7184d88b4f260632a842f |
| SHA512 | afa203e01510d0207ab7998d8d9cbb0851b4855893afc72125166f801780eea1c86022da322d3ee2d70d731b26b203425baa09095e73945cef2bc28dd907bc01 |
C:\Users\Admin\AppData\Local\Temp\kavoq.exe
| MD5 | 7203bb420b08f700dc755a326a486334 |
| SHA1 | 03c2efbce166239606bbc9d3642373c9fa80168c |
| SHA256 | 9c7d7ab4ca12e07a0481c0ba09e88f727f02992472e1afde560090f2fa2218cf |
| SHA512 | aaebae67cb492986d48f095c8a4701c5d4918efdb3c99bcec43877df9092664a785d59dca02edcd57d86d3cb343b1c3f4f1b0668ecff5cca85d1e606f60612b0 |
memory/936-26-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/808-29-0x0000000000400000-0x0000000000465000-memory.dmp
memory/936-28-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/936-27-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/936-25-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/936-31-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/936-32-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/936-33-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/936-34-0x0000000000FC0000-0x0000000001054000-memory.dmp
memory/936-35-0x0000000000FC0000-0x0000000001054000-memory.dmp