Analysis Overview
SHA256
d0942265f4cb03f950a629179c47a5ddfe3e6e8d3558a6991af701aefa1d2936
Threat Level: Known bad
The file 897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 07:18
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 07:18
Reported
2024-08-11 07:20
Platform
win7-20240708-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11300 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 112.223.217.101:11300 | tcp |
Files
memory/3056-0-0x0000000000990000-0x0000000000A12000-memory.dmp
\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | bf8680f3d0d881ca84fa3e59353be37d |
| SHA1 | 4cb5e780d64e6aa370d3ef91fcdfd0d949ec444c |
| SHA256 | 487f579cbcfa25c240dfd129a0b009dddc37014429b89f17207604c4c21ebd43 |
| SHA512 | 2b24ee207a88243ca89c949b14ba0be7f25b6d423d02c762e392ad2904ee1a2c88c20cbfc0308dd884831e1d2b3d2301e0064c83dcbedfbdb2b3615ed0e93f6c |
memory/3056-9-0x0000000002300000-0x0000000002382000-memory.dmp
memory/1964-10-0x00000000008C0000-0x0000000000942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 3eae18f40d79c58f0bf5dea664258d43 |
| SHA1 | 55f519ca180cbc032aaf87629af9fc848cf89142 |
| SHA256 | 084665b8ce84bcfd6e68c0a5ca26dfaa30585ac99363f4a25494365e4fdb5c79 |
| SHA512 | 34b6cae127f23f79c19fb00812dc36df559c41fd24beaa4e892fa9a125c41e777b70c32e44182899766d7a8836592288fb93ceee3dc2caa7179beccbd7782f0a |
memory/3056-18-0x0000000000990000-0x0000000000A12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04113afab96ff36e7da4cabf336079cf |
| SHA1 | 2ab6a01f123c1ef4227cb134612749b67a237bf6 |
| SHA256 | 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16 |
| SHA512 | 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9 |
memory/1964-21-0x00000000008C0000-0x0000000000942000-memory.dmp
\Users\Admin\AppData\Local\Temp\ctfmom.exe
| MD5 | af0e368678e854c1affcd213f727332c |
| SHA1 | 4358a0a557826c8092df94d1ccf1052c64270cd4 |
| SHA256 | c6df5ad3862c067b2562b7c7f0bac1acbc32b8b30081bd44288f052e1e81a672 |
| SHA512 | 7cba08fac5223b89d6156396ddda8c224ae3ccfc28fa73f887387463942202a1f3a7379674327b71b7faf2eb017011f891abefbbf5b8059f13b6c56b4636ca26 |
memory/1964-26-0x0000000003C10000-0x0000000003CB1000-memory.dmp
memory/1964-29-0x00000000008C0000-0x0000000000942000-memory.dmp
memory/2132-30-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-31-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-34-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-35-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-36-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-37-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-38-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-39-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-40-0x0000000000BD0000-0x0000000000C71000-memory.dmp
memory/2132-41-0x0000000000BD0000-0x0000000000C71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 07:18
Reported
2024-08-11 07:20
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11300 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 112.223.217.101:11300 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3868-0-0x0000000000070000-0x00000000000F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | b7a0a65898a731874f005e0f8bc2b12b |
| SHA1 | bfa14bdbd994965a4a2c9c88ec084c6a8945c973 |
| SHA256 | 9a87ee0ceb22002f7f81d0b1ce66f5bea306e62b45a284c4ae467cc335fbf9e6 |
| SHA512 | c64f82b63291cb9a78804f21e88ce6ce3ca7ae03a4e043c32716356e6f7c26773827a246cbe750b76b18004e73d464b4aa4a63970a0a487d6b6ce11c9ce4bd6a |
memory/2524-11-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/3868-14-0x0000000000070000-0x00000000000F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 3eae18f40d79c58f0bf5dea664258d43 |
| SHA1 | 55f519ca180cbc032aaf87629af9fc848cf89142 |
| SHA256 | 084665b8ce84bcfd6e68c0a5ca26dfaa30585ac99363f4a25494365e4fdb5c79 |
| SHA512 | 34b6cae127f23f79c19fb00812dc36df559c41fd24beaa4e892fa9a125c41e777b70c32e44182899766d7a8836592288fb93ceee3dc2caa7179beccbd7782f0a |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04113afab96ff36e7da4cabf336079cf |
| SHA1 | 2ab6a01f123c1ef4227cb134612749b67a237bf6 |
| SHA256 | 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16 |
| SHA512 | 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9 |
memory/2524-17-0x0000000000130000-0x00000000001B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
| MD5 | bf0a896d66cee92dd7404b3a19b25a5b |
| SHA1 | a46ec07142c2307ef99e08a8d9f94280670f7b58 |
| SHA256 | ff8c9d0aa36561d022550d50a9b67c1a0cc224e669d642b53936a39b18486776 |
| SHA512 | 41e51e9d1d4fef148d2053dd536f45ec9da14a31aa73c3fa0345c757027954226dfcdf8161bdf9842491efcbe02ef073512bb3cc9160013db81123c03205b69b |
memory/2524-26-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/5116-27-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-28-0x0000000000970000-0x0000000000972000-memory.dmp
memory/5116-29-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-32-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-33-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-34-0x0000000000970000-0x0000000000972000-memory.dmp
memory/5116-35-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-36-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-37-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-38-0x0000000000B00000-0x0000000000BA1000-memory.dmp
memory/5116-39-0x0000000000B00000-0x0000000000BA1000-memory.dmp