Analysis Overview
SHA256
ed5e31592f1ab4b99ec67646993946ecfb7226c1c3fc6aaf8188f9665047057e
Threat Level: Known bad
The file 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 14:22
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 14:22
Reported
2024-07-31 14:24
Platform
win7-20240705-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\piybar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qanuh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\piybar.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\coupc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\piybar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qanuh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\coupc.exe
"C:\Users\Admin\AppData\Local\Temp\coupc.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\piybar.exe
"C:\Users\Admin\AppData\Local\Temp\piybar.exe" OK
C:\Users\Admin\AppData\Local\Temp\qanuh.exe
"C:\Users\Admin\AppData\Local\Temp\qanuh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2976-2-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 3b8236068121233014439794aa9266b8 |
| SHA1 | 9290db29c7002e622c18495ec00d5bbc7892bf4e |
| SHA256 | ff82515b2a1ec707d042c9a337fbc92c204edf989e27abdf3fc3a5ec70a7c6a3 |
| SHA512 | f212c3c1e043ffd484030573237fc4f5d7d6bf9bd14ce61c4af5a926c2ffbf403a692413f28aece83009ccac37bab4ea68a74e552b9ed95643238ebe6f84e980 |
C:\Users\Admin\AppData\Local\Temp\coupc.exe
| MD5 | ce19cbd289c3c82661b350d025f04442 |
| SHA1 | 2472e6fdd10a4c9567df57dcdceab3873dcb2a83 |
| SHA256 | 3e05be70fb8eb3c36ac4270d8ae17c30f0f7f8393812a583b27215c859061130 |
| SHA512 | 3132c4a730b3d4c5327686f82cad51e350d0be50c886d549512196c80b1758de94241d1e1ef71e96ff60053a6da72c685aa6e0182a132986309585c996b78378 |
memory/2976-15-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2320-18-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1486de85267adff1574aa7fac4c2eaf8 |
| SHA1 | 07230872130d226eb9e7f4fd3c2fa6fa8386c605 |
| SHA256 | 554f8556cbaa3d99841a9fd30b8d9960973a7b624dd498ddb7d81044c13c701b |
| SHA512 | c3d312996059e0beb127ed623cd07d77fd183982ba9117dc4e2b8ef8905f04dfde1455918c37b27e3f68f9141ec3f9542e7b9fddfb9e3a4bcf64a459cdaa4199 |
memory/2320-26-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2884-27-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\piybar.exe
| MD5 | 5f787abf15bb781df0cd56a7281f6296 |
| SHA1 | 6569a37457a9de3d54041e86e30f093056511e6f |
| SHA256 | d947e88833b3430e8787e0840b7f1277872a5c1024f3f8f9c55a473a4fbb240c |
| SHA512 | 615feb5dec8273fa2bfc897d2c09ff5f79205b18878af175c0b52b99e8d14dbc4689b7c6ab3feb3d3a29945c4c63a5bb913e58cbfbe08c5458f7a2519042dce6 |
memory/2884-42-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qanuh.exe
| MD5 | 9e869abf8a96a8bd6f8e899a38a803c0 |
| SHA1 | f4a269b683217ba32f61b3ef1a512fa252893eba |
| SHA256 | 4d3ee28b6ee5c01a334c08904215f366306662cb5cddf50e1b7ea1708024326f |
| SHA512 | 7db15e05eecefd296a23612d0b03020bf2240c3c9d4ebfc793d1335b1ac820975deae4108f8c8c03d433f957237456e3c2fd7c4e52cd7e88285b44ef4dc72ac9 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 74e09c61123fb1557f89fd46def5d9db |
| SHA1 | 9bb82c515c2c00c47a5abe0af996b46980482c54 |
| SHA256 | cad476ee46ad7f7dcd36e2e8aa420df618b02c2e26be3cea6ab77bcf016a8f53 |
| SHA512 | caec9a77a53487d87e3c65ad21b218ead8195e4e6e3de285917f9da9ff85b2174b1d369361977111018301f5a929394c78f22a17aba424438ec5505ee94cfbf2 |
memory/2608-44-0x0000000000F50000-0x0000000000FF0000-memory.dmp
memory/2608-48-0x0000000000F50000-0x0000000000FF0000-memory.dmp
memory/2608-49-0x0000000000F50000-0x0000000000FF0000-memory.dmp
memory/2608-50-0x0000000000F50000-0x0000000000FF0000-memory.dmp
memory/2608-51-0x0000000000F50000-0x0000000000FF0000-memory.dmp
memory/2608-52-0x0000000000F50000-0x0000000000FF0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 14:22
Reported
2024-07-31 14:24
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fyvek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\akpiir.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fyvek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\akpiir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cuitf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fyvek.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\akpiir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuitf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\fyvek.exe
"C:\Users\Admin\AppData\Local\Temp\fyvek.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\akpiir.exe
"C:\Users\Admin\AppData\Local\Temp\akpiir.exe" OK
C:\Users\Admin\AppData\Local\Temp\cuitf.exe
"C:\Users\Admin\AppData\Local\Temp\cuitf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1580-0-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fyvek.exe
| MD5 | 565e31ac493717b1ff556fe19870d325 |
| SHA1 | 665f58ed63d2b02957133cf72cd2ba0bf0b67002 |
| SHA256 | 61eec3b2ab0a8e119705972ece979cca9578e3aff99d79b561cd68876da2fbfd |
| SHA512 | 7598d854b1b011802f02b0c6953c1599f69646eaa75dcfd93fb093883acdf61d070cc739f450520a7c73666f0ee015f5cc000c9f4d1e53ff15937b1ebb1ddbf7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7b5d7c98ffd5b742459510575acd232f |
| SHA1 | 4015c1d168461bbce82f6936766ce22d7431dcfc |
| SHA256 | 80287ccd965ed6f5f0b52647287dcec9dcd1d843f87d187a42fc48858ae2604b |
| SHA512 | 1f38dd8793adc1f65aebe7160cbb8eed549399cffdabd696f90227aa5c9e4a3326cc7f267c7b841c0cd1dd32f3479ecc3b879a02383db0fd9dda3073b1057f6a |
memory/1580-14-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 3b8236068121233014439794aa9266b8 |
| SHA1 | 9290db29c7002e622c18495ec00d5bbc7892bf4e |
| SHA256 | ff82515b2a1ec707d042c9a337fbc92c204edf989e27abdf3fc3a5ec70a7c6a3 |
| SHA512 | f212c3c1e043ffd484030573237fc4f5d7d6bf9bd14ce61c4af5a926c2ffbf403a692413f28aece83009ccac37bab4ea68a74e552b9ed95643238ebe6f84e980 |
C:\Users\Admin\AppData\Local\Temp\akpiir.exe
| MD5 | 0e9cc82a0925d85a2b3fa2a7186b01f4 |
| SHA1 | cea10964c080fe84fbfcb5ea12cc163ec14e2073 |
| SHA256 | 4e1142c1e2e33646aa783e6c15ee5024a568851d12b9444735f93ecb75fe6bb8 |
| SHA512 | 4e7c3aaa2fab72b0feadff5103d4b953801f04d5d9cfa4e55f004f0f9dc8277a82f8e9e536fe7d8816f4a67fbde9d5a29cc858c011f53c06678ecd83db26d40b |
memory/3160-23-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2668-25-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cuitf.exe
| MD5 | 9b944dfa55de66826becb62a3fb0e513 |
| SHA1 | 8e7fc2d29a0ca4c7e2ef4eb40aa2debab72c8f6f |
| SHA256 | d0072ec9ebd361eb2b83e40e9b51a836b54d5a7444518352f24b1f189e983b79 |
| SHA512 | 5bd5f4e90cc7481921c16023ca277831ab6df9bf93ec700539c0278624f54b9067eec5f33762289f8be4a75fd3944d3b2c8c4a74905369bc493238f5d22cb17d |
memory/4904-36-0x0000000000610000-0x00000000006B0000-memory.dmp
memory/2668-38-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 47e5baf5db785cf83e2ce6a615b213a6 |
| SHA1 | 6388b6fad8273b5ef442393e39dd5c29dd087833 |
| SHA256 | 83fd0812072932e0f3ddb9a093d60de9e0e686e354ca174847caf6a963600b95 |
| SHA512 | 742711b423cd36042eb8b902db027dfdba5ce7d4c1faabff962a429b59dbad1aff56f825d27b6ba1f2de9f1148b56e6c8867589e3b4a5fa163ba631ec6173360 |
memory/4904-41-0x0000000000610000-0x00000000006B0000-memory.dmp
memory/4904-42-0x0000000000610000-0x00000000006B0000-memory.dmp
memory/4904-43-0x0000000000610000-0x00000000006B0000-memory.dmp
memory/4904-44-0x0000000000610000-0x00000000006B0000-memory.dmp
memory/4904-45-0x0000000000610000-0x00000000006B0000-memory.dmp