Analysis Overview
SHA256
adbed124faeae69e6e0355bea43ee6531f390524eb7759140e5843e580f41fd6
Threat Level: Known bad
The file 7fe3d3e31683778477219e67511be5c9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 08:56
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 08:56
Reported
2024-08-01 08:58
Platform
win7-20240729-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ykkin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jagugy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jului.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ykkin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ykkin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jagugy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ykkin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jagugy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jului.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ykkin.exe
"C:\Users\Admin\AppData\Local\Temp\ykkin.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\jagugy.exe
"C:\Users\Admin\AppData\Local\Temp\jagugy.exe" OK
C:\Users\Admin\AppData\Local\Temp\jului.exe
"C:\Users\Admin\AppData\Local\Temp\jului.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2188-2-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2188-22-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ykkin.exe
| MD5 | d0e82d500ff80f062c065281dd9c062e |
| SHA1 | dbf8c7033456f6c448ac977a30c4b68214491091 |
| SHA256 | 4bff0d8257070e56c703d3699e129c8365109fdd734ffbb604c5ed7c2b54e5d7 |
| SHA512 | 2acadd31231ebadb6006488531095342f947028eab3da717dcca2cbc6a51fa155e8809b7da809aba1fc8a52fa6058465624c31266ab167b44787e94d1eb10719 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | bc733556b5963136d4146a70312e959c |
| SHA1 | 527a7367de389238beb7bbf870c82ee3e952033f |
| SHA256 | 24d0e5c9f716bfed7927b636e27c3883123d7bc39cb52baf654b3a975a40d8a0 |
| SHA512 | b34a46cfaf5af7634522c26089e566f861a647bdfe4ce1e752af6bbf3ef2117d65e8c6e4033fa736d5fd1ad940aaad77c4b59cfeaa0802cd4aeff37b71ec0e36 |
memory/1880-21-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2188-20-0x0000000002640000-0x00000000026A8000-memory.dmp
memory/2188-19-0x0000000002640000-0x00000000026A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 17a23e5a577f30f68789237374de0822 |
| SHA1 | 87423a47872b22ac7526cd4e708d72d06f73b376 |
| SHA256 | c24758d063c8ada944a8ff11276201943ac1f320c11b9fd0cba67012de392bf3 |
| SHA512 | 7573f10c378703a078750544d510544c1d6181b6fd4ab30c9892af3809b633da0f2fe98495d42617ff756104ecac3d54c7136821c2d01b1075f138d43fa75a41 |
\Users\Admin\AppData\Local\Temp\jagugy.exe
| MD5 | 58e21d36ea3245436ba22b5f5d15ed76 |
| SHA1 | 09864cc75d0d28569cb5bb6e39559ababd5b2ce9 |
| SHA256 | c92b7ffa21430a8fec2106bffcd1011c0a3f9e9fd8154ac8e37912360e8e0905 |
| SHA512 | 5a13abd7b0db4f8877063dd1fc4bb8f7ca463074303e72e8e29984651263f32cb394768a47809d871cb49566d5aef94c199b4bf4bde144ad28564fdd77420db8 |
memory/1880-31-0x0000000003430000-0x0000000003498000-memory.dmp
memory/1540-37-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1880-36-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jului.exe
| MD5 | 102f345e86cc0ac18edb0b3ad4d4ee34 |
| SHA1 | 16cef75e9c727b0740e8e0dc0dbc912079fb8dbc |
| SHA256 | f383f9eca36e1e2cad393aad6919b7e59888c07863660cb2a8344c88be5d6ff1 |
| SHA512 | f603236997761c00b03daca1ec36831bdf5f85d059bea50a3ed9505a5f22af59fd2642e6ee437346cbb111d104cc7a38f5165688f0a620d2b46b79acc46b6419 |
memory/804-54-0x0000000000210000-0x00000000002B0000-memory.dmp
memory/1540-53-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1540-50-0x00000000030C0000-0x0000000003160000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | cdf68fa83d9556715b1cde8f02954e51 |
| SHA1 | 68fd6e4e9c9f031427af2df12a2e09f9447f6acc |
| SHA256 | e6f339615d49302c7b924e1e798fe840162ccbf074106e18c6edefae4cda875c |
| SHA512 | d62ed5eaf0df786b7430613a9c9bc91cf837453f5722bbc1407bd5e28fc7262a5eb31b6256f1701184e18cd272a1ce26f963cea362f6de6916018b9663d762f5 |
memory/804-58-0x0000000000210000-0x00000000002B0000-memory.dmp
memory/804-59-0x0000000000210000-0x00000000002B0000-memory.dmp
memory/804-60-0x0000000000210000-0x00000000002B0000-memory.dmp
memory/804-61-0x0000000000210000-0x00000000002B0000-memory.dmp
memory/804-62-0x0000000000210000-0x00000000002B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 08:56
Reported
2024-08-01 08:58
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ruemd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ruemd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wizel.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wizel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ruemd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ruemd.exe
"C:\Users\Admin\AppData\Local\Temp\ruemd.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe
"C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe" OK
C:\Users\Admin\AppData\Local\Temp\wizel.exe
"C:\Users\Admin\AppData\Local\Temp\wizel.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2020-0-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ruemd.exe
| MD5 | 7d13b4968b6d15a4e94d9012c01820ca |
| SHA1 | fccf1b53eb1cee774f36900b54c542d988835ea4 |
| SHA256 | e919b9ebd04bb9921eb7c79c00d2697cac1d71c3ad510f782ffa3f0d2eb5a200 |
| SHA512 | 0304a94e6829df1caf19dc42b496d00fe3f33a0f3f0d99b64974f0d10bde3c975b9b8dd182efff49206ebe164bebd50c003af4107a3c23caac98f9f4215a3f70 |
memory/2164-12-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | fb011acaadf079d5ade483afc3bf7a2d |
| SHA1 | 5f526ca7c6199660d307cdc30b134f1117627ea5 |
| SHA256 | 6a97fdaf8630433603329cccb08c50575d77d847ecf886bf906c8c0cfe07f4d6 |
| SHA512 | b027a5f30c208ba230338d2461e31642fa6f2fee7a5337aa3fc30c13ea918e755fce149d4ab66000e74bc61374b06abd5150a72841b4d0e12898a3ff8efecaf8 |
memory/2020-16-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | bc733556b5963136d4146a70312e959c |
| SHA1 | 527a7367de389238beb7bbf870c82ee3e952033f |
| SHA256 | 24d0e5c9f716bfed7927b636e27c3883123d7bc39cb52baf654b3a975a40d8a0 |
| SHA512 | b34a46cfaf5af7634522c26089e566f861a647bdfe4ce1e752af6bbf3ef2117d65e8c6e4033fa736d5fd1ad940aaad77c4b59cfeaa0802cd4aeff37b71ec0e36 |
C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe
| MD5 | 016fc462d8e10d95cce33651d2f581bf |
| SHA1 | 1f27cf1f7d607705f1eff90fa90a25644e301d5c |
| SHA256 | 6321e9116fef2828c39d99498013fd71017f8e3cd6b2427932ace5c900792aa8 |
| SHA512 | 71d3ecf921d75fef1fec7d9925a9d3d1c32b5301203819bf3cb3d647810a5256fd9b31e2631cb4cd7bb392720792100639ff5d53cd62fda074ff89ca8fe858e1 |
memory/1232-25-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2164-26-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wizel.exe
| MD5 | 5d95500c95ff42384e37c3580849074f |
| SHA1 | 6c27f6fee1a3b0cf602a531bcfb8d83222fc57c6 |
| SHA256 | fcc53c3458feecfb383cc793e7c8da27d42e30f16ef97dd17bb3c3689bd984a0 |
| SHA512 | ad07851aa913fef00d4550cbddff2032e05ca6f87e6ff95ea6dd6d887258686dee4d70b90ee926aba0d3b2f9effdf098851a471cdec43f8396ba5e39f666eedc |
memory/5036-37-0x0000000000570000-0x0000000000610000-memory.dmp
memory/1232-39-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 5c8e3e50afde25ec8a153189915a65bb |
| SHA1 | d12eca2f8298ed0731cb7451533f10c18974ae56 |
| SHA256 | 7ad1714ec68adcd2c165ebf117ef71eadf357b3324ab8d2147ccbc1b9650d4be |
| SHA512 | 5671a9529c958c69f97feb125a86df204739c808e4481668e96fb3d83957faa5da674fb03d69767b0b6e1352eeeaa3bf6a03780c3bc8474fdfd470c0aa4d8de4 |
memory/5036-42-0x0000000000570000-0x0000000000610000-memory.dmp
memory/5036-43-0x0000000000570000-0x0000000000610000-memory.dmp
memory/5036-44-0x0000000000570000-0x0000000000610000-memory.dmp
memory/5036-45-0x0000000000570000-0x0000000000610000-memory.dmp
memory/5036-46-0x0000000000570000-0x0000000000610000-memory.dmp