Analysis Overview
SHA256
2c25e31ddcb7ce79670b67ce57d5e6a4b0c7e13d870ee25a8bbdd18807ee5d32
Threat Level: Known bad
The file 7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 04:11
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 04:11
Reported
2024-08-01 04:13
Platform
win7-20240705-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/3048-0-0x0000000000D10000-0x0000000000D41000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | b85f9662eca31e83cc33467eb564f05a |
| SHA1 | c05209e101a248c0ef7d021a9ad671281bfff157 |
| SHA256 | 5eda2e49b7dcccef66b66d1af8968c7aa2ab4405498d8ce70e00f5b7dfd10f9a |
| SHA512 | 671e22bd8d7ae9ed6ebe833b35c7b1372b2cf58e8e456d208bc04fccf223614dae83f29e362151cb23eb53ea67d9f7696ab7bcc3ece7512717b7ceea60c82a69 |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | e41ea93eca438a829239de74778164d8 |
| SHA1 | e8c7977b3f2a2576203367a4261c6c0c304973b7 |
| SHA256 | b8db3e9caa1afbf59716814ed8fe2bafe499241db7bf4178ff7ea0623fc74fd4 |
| SHA512 | 071ad2968d8b3a1fe3c5a6e454fc16868d3cb1273857f28a063971a39e17350aa82ac46e98e82637dc61c299ccf9265c74b36bc4f0382840ca33468fed391bd3 |
memory/2488-17-0x00000000001F0000-0x0000000000221000-memory.dmp
memory/3048-16-0x0000000000480000-0x00000000004B1000-memory.dmp
memory/3048-18-0x0000000000D10000-0x0000000000D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ede6388dfbb03ff576508b085d03e793 |
| SHA1 | 71d2e779ac6ed074b5698651a8c7fa3b047ccb50 |
| SHA256 | 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8 |
| SHA512 | 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b |
memory/2488-21-0x00000000001F0000-0x0000000000221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 04:11
Reported
2024-08-01 04:13
Platform
win10v2004-20240730-en
Max time kernel
94s
Max time network
145s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 348 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 348 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 348 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 348 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 348 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 348 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f1fda5c3e6515b61fa48f5744572b5c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/348-0-0x0000000000120000-0x0000000000151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 00e9e250f4ac7da49fda44ea1877bf17 |
| SHA1 | c67cec8c58173384b4db1587ce38968d2a710677 |
| SHA256 | 18b93caa32065cfbf11bed1c6092115d830a4719e373179ba0d3da27169cf25c |
| SHA512 | d3862058fd57a4fe0b90a0d654118e7a15b53cd7e1d3383aa35ad22e922524bc3e88ac5f88af2fa4f3158a895823760b65a3d76062d38fd564cbe4b96107c02b |
memory/3028-14-0x0000000000020000-0x0000000000051000-memory.dmp
memory/348-17-0x0000000000120000-0x0000000000151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | e41ea93eca438a829239de74778164d8 |
| SHA1 | e8c7977b3f2a2576203367a4261c6c0c304973b7 |
| SHA256 | b8db3e9caa1afbf59716814ed8fe2bafe499241db7bf4178ff7ea0623fc74fd4 |
| SHA512 | 071ad2968d8b3a1fe3c5a6e454fc16868d3cb1273857f28a063971a39e17350aa82ac46e98e82637dc61c299ccf9265c74b36bc4f0382840ca33468fed391bd3 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ede6388dfbb03ff576508b085d03e793 |
| SHA1 | 71d2e779ac6ed074b5698651a8c7fa3b047ccb50 |
| SHA256 | 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8 |
| SHA512 | 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b |
memory/3028-20-0x0000000000020000-0x0000000000051000-memory.dmp