Analysis Overview
SHA256
a377951a3b2be58c13c1ffba5e4a182549467bfbe715edb0f21ee4963d4c870d
Threat Level: Known bad
The file 89591f001416015a7587f5d92f295bfc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 06:31
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 06:31
Reported
2024-08-11 06:33
Platform
win7-20240708-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\imzod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tyker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\imzod.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\imzod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tyker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\imzod.exe
"C:\Users\Admin\AppData\Local\Temp\imzod.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\tyker.exe
"C:\Users\Admin\AppData\Local\Temp\tyker.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp |
Files
memory/2120-0-0x0000000000200000-0x000000000027C000-memory.dmp
\Users\Admin\AppData\Local\Temp\imzod.exe
| MD5 | 0cefd92f80b1f30820f04a7aefe17414 |
| SHA1 | eee0b5bc1a3910978435c96577f9101c441f690f |
| SHA256 | e8f07dcedd4bd7814dadc12c5a636462795de5685170dd87a7bc6d9a32122189 |
| SHA512 | 1064cc32d9ed835071c3967e1d708a9ca91e2b5ef125ab28ebf5bbf6a11abf5ba1bee107ab31de99bce496e5c10225fdc47b2e6741aff5ab020390aadc0f3f72 |
memory/2120-7-0x0000000002520000-0x000000000259C000-memory.dmp
memory/2492-10-0x0000000000F80000-0x0000000000FFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 81ba2edda25dd49fe8a7b967b5b21dea |
| SHA1 | 462d7401e023660a1463233f269571346c879497 |
| SHA256 | 15d31c60557bc4d1e7023d8e5e68d266c8779fe97577eae75235e74577a67a7a |
| SHA512 | 665012aeeb8bd72616d89ded840f4e131877967dfcd8536d50edf21d985b48e3454cc1223f719355c1c86c9f3696b70b6d039f29ed0be4fb14d400e858ebe18c |
memory/2120-18-0x0000000000200000-0x000000000027C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b47f04b08fcd8971c3fdcb225a29810e |
| SHA1 | 2cca9ed47482e810a076256fcf8ef6d3b5d9458a |
| SHA256 | 493e2dcf994fadb4bd148c5a86dbf87e1f5cebf6cb7fd35cd1ff0b0b61d4dd50 |
| SHA512 | 758a9fefe47143ef1301cd5a49b5aefcb4d03dd0e069502f21af8fe04b07e3c3b4e094aac9c32c253c6aa62e343d90b3bf9be1185f04f5a2ec31cd0b0fd45c47 |
\Users\Admin\AppData\Local\Temp\tyker.exe
| MD5 | 4d138e96e1bfcc5b3df4d0dda2953103 |
| SHA1 | 64a4458d4dc5a091d0ed6ead3d72e8f51af7e44a |
| SHA256 | 66e4e82d5120d284955cdc5af5c21b063acb7070bd96fbc56dccf5bd0faf3ebd |
| SHA512 | a60bac34125cc9e3f0a829349510f3e9cb3e4201b120bb62cd171fbf2c6cacca3bcecba830fd17c518c035ee1ea7450585d3e4d7865f5ef53f807ebb5d738eea |
memory/2492-26-0x0000000000F80000-0x0000000000FFC000-memory.dmp
memory/1144-28-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1144-30-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1144-31-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1144-32-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1144-33-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1144-34-0x0000000000400000-0x000000000049F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 06:31
Reported
2024-08-11 06:33
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kufyo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kufyo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lebon.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kufyo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lebon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89591f001416015a7587f5d92f295bfc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\kufyo.exe
"C:\Users\Admin\AppData\Local\Temp\kufyo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\lebon.exe
"C:\Users\Admin\AppData\Local\Temp\lebon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.226:11120 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11120 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3808-0-0x0000000000760000-0x00000000007DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kufyo.exe
| MD5 | 0d8ed77e77ebdd6b9396a9d8785a6833 |
| SHA1 | e6fac874ed8710e5d4152d8beff30115ce3c59a2 |
| SHA256 | b9586183e84e1873fc5f101ff1d24ccdb8efc3ab7160ff01f5a49b321a7ab660 |
| SHA512 | 4931d3884565563aeb1e6582d67cfbea23820750a23512fa6421acdaf24f7430a35b39c69f61d3c18a006c8adde645216314e6edb12a8b4021e1729b463d4b4a |
memory/3756-11-0x00000000001E0000-0x000000000025C000-memory.dmp
memory/3808-14-0x0000000000760000-0x00000000007DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 81ba2edda25dd49fe8a7b967b5b21dea |
| SHA1 | 462d7401e023660a1463233f269571346c879497 |
| SHA256 | 15d31c60557bc4d1e7023d8e5e68d266c8779fe97577eae75235e74577a67a7a |
| SHA512 | 665012aeeb8bd72616d89ded840f4e131877967dfcd8536d50edf21d985b48e3454cc1223f719355c1c86c9f3696b70b6d039f29ed0be4fb14d400e858ebe18c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | bf54f8f25021f6793b50a669378fe9ef |
| SHA1 | cc328f83496c1629896979d265a2da0c9fb0d873 |
| SHA256 | 432b1ce701a0d657a9c295e93fe300020a083b44db3862a1656dab09fb6c5121 |
| SHA512 | 5b1b1288265afc1a00da026b8e2af17938685ff16d942188e0cbd4e0ed7c42fe2d3ba0b748f582ff9b523bf502c2a096914dd0df461e675e6de43508fdf4ac20 |
C:\Users\Admin\AppData\Local\Temp\lebon.exe
| MD5 | f66e1342c0beef9ae3fac797d40006a8 |
| SHA1 | a93bf39006bd3ba88bf95c69d63ed3b1cbd35a86 |
| SHA256 | 9c36da768a5826b7de11ecbdd962fa6d1d6c381c5e337f4b37c504fbeebc2f22 |
| SHA512 | 5d9ea03ef43ee405a6e0f80e8a0f1e15fde074028a84d6376395d12344deb708304cdb5fd4aac296b5059b261a003a6e4bc212a379acdf46760dab558e08ba39 |
memory/1352-26-0x0000000000400000-0x000000000049F000-memory.dmp
memory/3756-25-0x00000000001E0000-0x000000000025C000-memory.dmp
memory/1352-28-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1352-29-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1352-30-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1352-31-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1352-32-0x0000000000400000-0x000000000049F000-memory.dmp