Analysis Overview
SHA256
de091802b6a0d67ee3f95ea7d90fe721859e0cdf04bcd7fc77d631220e67f1dd
Threat Level: Known bad
The file 85831dd0098430dea02fb457ec2908d0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-10 09:01
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-10 09:01
Reported
2024-08-10 09:04
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zeces.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zeces.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boboo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zeces.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\boboo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\zeces.exe
"C:\Users\Admin\AppData\Local\Temp\zeces.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\boboo.exe
"C:\Users\Admin\AppData\Local\Temp\boboo.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3900-0-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zeces.exe
| MD5 | a9d323128df68fcbc15eb82d10a1193a |
| SHA1 | a8c5462bfbaf2bb042cc27ec61687980dffee175 |
| SHA256 | ac7693dbc7a3ad74dcf5bcd6b1a2b052023f12737ea9a569e764823df89315a3 |
| SHA512 | 931c1345a1a5d5adaf223ea7efc8094e17b064589416d769221a3f47092c3de8f57049154583a2ae33e4f0b8afe8cbbf3254030ed233600489271f50879e0c34 |
memory/1708-11-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 000fc35d3a385dc8fc7f35ab887fc6c3 |
| SHA1 | 45a2c4de40eafe60bedabd1c112af1cacd6c9e3b |
| SHA256 | 14512b6b8099d3e897f6ef9f0e24c875e0aa54e79cdec8d7d77f7bc56a6f83b4 |
| SHA512 | 9966becc2a22b6fee43f1c573e00f17bb109093cb2297b0cd0bfa95d7da1ab3c997ae538b80e39a748a26d30247556e5680071a791fde2672c0e53a0333a6d93 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f7b1854fee0344fe2ebec46bb776f23f |
| SHA1 | fd9eadfa6447f544df9ce2cd20a658afd2b5e40a |
| SHA256 | 00b38dbfbef3830fb307a7eb9192028d5c9f472c955ae7459c0031d621cbdbcd |
| SHA512 | 3149c9cddefa48e7fee76413febbeb27b38b3e665bbd195823e2ee6e01239614907de069fc89fa28efb7fd44012ec35095bb9ef9d7f5a7a6b846e87340987077 |
C:\Users\Admin\AppData\Local\Temp\boboo.exe
| MD5 | 057cb377808a33679f3a65423063a183 |
| SHA1 | 731ad7632833e52d55387978b0ef7118b9c447fd |
| SHA256 | 2cb77d235b6acee2e2cae7e7437bbb7159d3361df508647d8b04b048ecc4b696 |
| SHA512 | 2b219655046cac8fcdbe49a0baedd0707fd22fdbc48b9c10e4a723229429ad433dacf3bb36542837b892b7a16dcddee94b8dc9f286ce78a0565b250aac87fb02 |
memory/1996-25-0x00000000004A8000-0x00000000004A9000-memory.dmp
memory/1996-24-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1996-27-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1996-28-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1996-29-0x00000000004A8000-0x00000000004A9000-memory.dmp
memory/1996-30-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1996-31-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1996-32-0x0000000000400000-0x00000000004B5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-10 09:01
Reported
2024-08-10 09:04
Platform
win7-20240704-en
Max time kernel
150s
Max time network
94s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ucwin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tivei.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ucwin.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ucwin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tivei.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85831dd0098430dea02fb457ec2908d0_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ucwin.exe
"C:\Users\Admin\AppData\Local\Temp\ucwin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\tivei.exe
"C:\Users\Admin\AppData\Local\Temp\tivei.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2388-0-0x0000000000400000-0x000000000047A000-memory.dmp
\Users\Admin\AppData\Local\Temp\ucwin.exe
| MD5 | 04d153254c1e0b22a335543ae99a1801 |
| SHA1 | 6831fc795149e47507456cbf66ec0538a7c23d09 |
| SHA256 | 5e6b91e22847198ce0f409e0810d4e5b67a9334e46b639ba7b1821c72bb7cf7f |
| SHA512 | 4de88e87861b52afde0988902e5415c8b9e42e555b5e53194ef0e55002c0bba02d3808960868583905e202260cd2d6fed921fe647ca32319317937048430cfc8 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 000fc35d3a385dc8fc7f35ab887fc6c3 |
| SHA1 | 45a2c4de40eafe60bedabd1c112af1cacd6c9e3b |
| SHA256 | 14512b6b8099d3e897f6ef9f0e24c875e0aa54e79cdec8d7d77f7bc56a6f83b4 |
| SHA512 | 9966becc2a22b6fee43f1c573e00f17bb109093cb2297b0cd0bfa95d7da1ab3c997ae538b80e39a748a26d30247556e5680071a791fde2672c0e53a0333a6d93 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 64c534c273ecd97ada52ddd2032ed90d |
| SHA1 | 9542bb40b836d708909fb1ccbc4d9f393d0385c6 |
| SHA256 | 6b685c4518226e37df5c5a86ce9e648988f01a8ef4b9fb0a8c2520107b4c247a |
| SHA512 | f5070c180c35b27484afc9b3e16cbf7c7ad2a5abe6dc28e6e843d7f26aa6b3c51adccff39c225d661ee7974ecfcee76b39a156ef4b276f627f9ae909dca547c2 |
\Users\Admin\AppData\Local\Temp\tivei.exe
| MD5 | 374077a57da0f5b8023e2323d8717ef6 |
| SHA1 | d97ad9340295cf540f6dcda0382b7c797aea42bc |
| SHA256 | 8974008ce89cfdd8fbaeb2c57a3e6f3b5902a134a05c10bcdcddd18cb8d562f2 |
| SHA512 | 19bc637be6405b3759c968b783e5d9586c3de4c67959313de5fcbd7de98cfd3403f9481cd925ab5c38341c01b77907bb4a7b5d6d6c4cb0abefc3311a964afea7 |
memory/112-26-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/664-25-0x0000000002E00000-0x0000000002EB5000-memory.dmp
memory/112-28-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/664-29-0x0000000002E00000-0x0000000002EB5000-memory.dmp
memory/112-30-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/112-31-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/112-32-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/112-33-0x0000000000400000-0x00000000004B5000-memory.dmp