Analysis Overview
SHA256
1e195ecf93928be3f3afa79d1182c3f4a135c9a2115fc5096c0eab61a3134100
Threat Level: Known bad
The file 88a8147e7cf320f461043b93d81be3cc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Loads dropped DLL
Deletes itself
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 02:34
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 02:34
Reported
2024-08-11 02:37
Platform
win7-20240708-en
Max time kernel
149s
Max time network
90s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yjpog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pugei.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yjpog.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pugei.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yjpog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\yjpog.exe
"C:\Users\Admin\AppData\Local\Temp\yjpog.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\pugei.exe
"C:\Users\Admin\AppData\Local\Temp\pugei.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2560-0-0x0000000000400000-0x0000000000484000-memory.dmp
\Users\Admin\AppData\Local\Temp\yjpog.exe
| MD5 | baa4166153a823ea432c7c83f8323681 |
| SHA1 | 04b99b574f8f0111cd780c44065de52132fd0fc3 |
| SHA256 | bce85ba0937bd2995cccf8cc31bae3dcb6b923e5202fe655985a3da72011a516 |
| SHA512 | 9e5e9ecbdebd6d732591b5bf5e77d9af88a59d154d6f8f27c8d35f7c4ffb5a24c29431b362910967dab150e7025a344e941bdf432207c9d3841ae2645eef7990 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f2a0d5c9f9a4eb1f1c5cfa4c01ed2565 |
| SHA1 | c230b619cdd9d80216a2bc650e39c6e5f1850fdd |
| SHA256 | 3136ca2aa0e2e07f366e560fd50007a8e1d108db75faec972bd3590b04c4a908 |
| SHA512 | bb84a630c7d233d94c646b8babfbe2780cf529f17cfdfc7faf1b915d01b6d415b43bfbc7ab149d7651ccbd903d1fe5c607722cbef7208e5ba84552f20ab8a480 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e91f2db99b303c617939f301203c030d |
| SHA1 | 9ef465a8ba31c3ff5844e0a3628f8b20ad3a3108 |
| SHA256 | dd1e4466700846a779c038960e9e54f433e6da56faa07a471d8644844800b573 |
| SHA512 | f7a66ac24d9d6a5f9d08e53fcb8f82a5bd5455a3cbfb991ac4c3728ad79414932876f88e221b881a55129c7315e11378fa0fb22eeec302e1c2d3dfdb52bf2305 |
\Users\Admin\AppData\Local\Temp\pugei.exe
| MD5 | 4e640c77cf9f60fba4fe14339354c2d0 |
| SHA1 | 20e62e34226269b8be41769ea29b91b49fd1d69a |
| SHA256 | cd29ac58e0885516978ee8d600a32e9a301382494a37a2227764cbda3332b743 |
| SHA512 | aff29dd109b7b70b442ce07188a2ff105e676452578cde49d8d2ff4fcb0da4f5c312fe50459061a6d5b22b19b6d2cd873b7a022800a1d19f1f96c01fac08c0cd |
memory/1532-24-0x0000000003010000-0x00000000030C6000-memory.dmp
memory/916-26-0x00000000001B0000-0x0000000000266000-memory.dmp
memory/916-28-0x00000000001B0000-0x0000000000266000-memory.dmp
memory/916-29-0x00000000001B0000-0x0000000000266000-memory.dmp
memory/916-30-0x00000000001B0000-0x0000000000266000-memory.dmp
memory/916-31-0x00000000001B0000-0x0000000000266000-memory.dmp
memory/916-32-0x00000000001B0000-0x0000000000266000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 02:34
Reported
2024-08-11 02:37
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\enajq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\enajq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyxyh.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\enajq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyxyh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88a8147e7cf320f461043b93d81be3cc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\enajq.exe
"C:\Users\Admin\AppData\Local\Temp\enajq.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kyxyh.exe
"C:\Users\Admin\AppData\Local\Temp\kyxyh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
Files
memory/2936-0-0x0000000000400000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\enajq.exe
| MD5 | a25b73a520c596fbeb0f68fbcece9cf8 |
| SHA1 | 457a1c027074e847cf0e6811e5040dcbf85e239b |
| SHA256 | f6cc55391ef8d69a2cbcae20a7cb93773a43b7ce1de1314754c1c7d56b682117 |
| SHA512 | 6736d5ae855ab663e7525d21576163c2ab5eb38245bef2eb6dc60813a0a83abfda470c2013d993bc0f28e5e720cfd39b18f7849b3f5f382a74a1a20e445b6272 |
memory/4516-11-0x0000000000400000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f2a0d5c9f9a4eb1f1c5cfa4c01ed2565 |
| SHA1 | c230b619cdd9d80216a2bc650e39c6e5f1850fdd |
| SHA256 | 3136ca2aa0e2e07f366e560fd50007a8e1d108db75faec972bd3590b04c4a908 |
| SHA512 | bb84a630c7d233d94c646b8babfbe2780cf529f17cfdfc7faf1b915d01b6d415b43bfbc7ab149d7651ccbd903d1fe5c607722cbef7208e5ba84552f20ab8a480 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6b8ee67d0877e3dadad1cd69980e36e7 |
| SHA1 | 47cb70d0dcb182fde20c4db917c1b57a4cdc66d3 |
| SHA256 | 09018be567a1fb34066fce9cf05db645cf105f17bd571fda7ef43b9e3a272ad9 |
| SHA512 | 3f06d081c26d7ecba71f95894a4d4aa85aa484ebfc58222744bb90c1de3a2d027409793213c390be3ca9b8f5fcf68b21db47be378d2e75ff7f3eda4d79e3407b |
C:\Users\Admin\AppData\Local\Temp\kyxyh.exe
| MD5 | 397f490ae15995e57bfb5c13c33456ef |
| SHA1 | dff13ccbc6b9fce4df599690610d6132cc23e2b3 |
| SHA256 | 0ba396b6e4ef0dd4f8bed77346239ec55d09bc17b3ec6b53bc62ea1e8189c143 |
| SHA512 | 54f8c1ffd6d07bbafa70a0087b363b20ee20af0efdb54eebc642238fee819adfa140caf719b1b66cbc3486eb36ba049a54e242fe6cca7caa1d494a7df49a1f9b |
memory/392-24-0x00000000005C0000-0x0000000000676000-memory.dmp
memory/392-25-0x0000000001440000-0x0000000001441000-memory.dmp
memory/392-27-0x00000000005C0000-0x0000000000676000-memory.dmp
memory/392-28-0x00000000005C0000-0x0000000000676000-memory.dmp
memory/392-29-0x00000000005C0000-0x0000000000676000-memory.dmp
memory/392-30-0x00000000005C0000-0x0000000000676000-memory.dmp
memory/392-31-0x00000000005C0000-0x0000000000676000-memory.dmp