Malware Analysis Report

2024-11-16 13:28

Sample ID 240801-er4mns1ell
Target 7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118
SHA256 2c25e31ddcb7ce79670b67ce57d5e6a4b0c7e13d870ee25a8bbdd18807ee5d32
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c25e31ddcb7ce79670b67ce57d5e6a4b0c7e13d870ee25a8bbdd18807ee5d32

Threat Level: Known bad

The file 7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 04:11

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 04:11

Reported

2024-08-01 04:13

Platform

win7-20240705-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/3048-0-0x0000000000D10000-0x0000000000D41000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 b85f9662eca31e83cc33467eb564f05a
SHA1 c05209e101a248c0ef7d021a9ad671281bfff157
SHA256 5eda2e49b7dcccef66b66d1af8968c7aa2ab4405498d8ce70e00f5b7dfd10f9a
SHA512 671e22bd8d7ae9ed6ebe833b35c7b1372b2cf58e8e456d208bc04fccf223614dae83f29e362151cb23eb53ea67d9f7696ab7bcc3ece7512717b7ceea60c82a69

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e41ea93eca438a829239de74778164d8
SHA1 e8c7977b3f2a2576203367a4261c6c0c304973b7
SHA256 b8db3e9caa1afbf59716814ed8fe2bafe499241db7bf4178ff7ea0623fc74fd4
SHA512 071ad2968d8b3a1fe3c5a6e454fc16868d3cb1273857f28a063971a39e17350aa82ac46e98e82637dc61c299ccf9265c74b36bc4f0382840ca33468fed391bd3

memory/2488-17-0x00000000001F0000-0x0000000000221000-memory.dmp

memory/3048-16-0x0000000000480000-0x00000000004B1000-memory.dmp

memory/3048-18-0x0000000000D10000-0x0000000000D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ede6388dfbb03ff576508b085d03e793
SHA1 71d2e779ac6ed074b5698651a8c7fa3b047ccb50
SHA256 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8
SHA512 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b

memory/2488-21-0x00000000001F0000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 04:11

Reported

2024-08-01 04:13

Platform

win10v2004-20240730-en

Max time kernel

94s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/348-0-0x0000000000120000-0x0000000000151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 00e9e250f4ac7da49fda44ea1877bf17
SHA1 c67cec8c58173384b4db1587ce38968d2a710677
SHA256 18b93caa32065cfbf11bed1c6092115d830a4719e373179ba0d3da27169cf25c
SHA512 d3862058fd57a4fe0b90a0d654118e7a15b53cd7e1d3383aa35ad22e922524bc3e88ac5f88af2fa4f3158a895823760b65a3d76062d38fd564cbe4b96107c02b

memory/3028-14-0x0000000000020000-0x0000000000051000-memory.dmp

memory/348-17-0x0000000000120000-0x0000000000151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e41ea93eca438a829239de74778164d8
SHA1 e8c7977b3f2a2576203367a4261c6c0c304973b7
SHA256 b8db3e9caa1afbf59716814ed8fe2bafe499241db7bf4178ff7ea0623fc74fd4
SHA512 071ad2968d8b3a1fe3c5a6e454fc16868d3cb1273857f28a063971a39e17350aa82ac46e98e82637dc61c299ccf9265c74b36bc4f0382840ca33468fed391bd3

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ede6388dfbb03ff576508b085d03e793
SHA1 71d2e779ac6ed074b5698651a8c7fa3b047ccb50
SHA256 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8
SHA512 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b

memory/3028-20-0x0000000000020000-0x0000000000051000-memory.dmp