Malware Analysis Report

2024-11-16 13:28

Sample ID 240811-h4yhzathjd
Target 897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118
SHA256 d0942265f4cb03f950a629179c47a5ddfe3e6e8d3558a6991af701aefa1d2936
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0942265f4cb03f950a629179c47a5ddfe3e6e8d3558a6991af701aefa1d2936

Threat Level: Known bad

The file 897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 07:18

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 07:18

Reported

2024-08-11 07:20

Platform

win7-20240708-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 3056 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 3056 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 3056 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sander.exe
PID 3056 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
PID 1964 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
PID 1964 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
PID 1964 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\sander.exe C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

Processes

C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"

Network

Country Destination Domain Proto
KR 121.88.5.183:11300 tcp
KR 121.88.5.184:11170 tcp
KR 112.223.217.101:11300 tcp

Files

memory/3056-0-0x0000000000990000-0x0000000000A12000-memory.dmp

\Users\Admin\AppData\Local\Temp\sander.exe

MD5 bf8680f3d0d881ca84fa3e59353be37d
SHA1 4cb5e780d64e6aa370d3ef91fcdfd0d949ec444c
SHA256 487f579cbcfa25c240dfd129a0b009dddc37014429b89f17207604c4c21ebd43
SHA512 2b24ee207a88243ca89c949b14ba0be7f25b6d423d02c762e392ad2904ee1a2c88c20cbfc0308dd884831e1d2b3d2301e0064c83dcbedfbdb2b3615ed0e93f6c

memory/3056-9-0x0000000002300000-0x0000000002382000-memory.dmp

memory/1964-10-0x00000000008C0000-0x0000000000942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 3eae18f40d79c58f0bf5dea664258d43
SHA1 55f519ca180cbc032aaf87629af9fc848cf89142
SHA256 084665b8ce84bcfd6e68c0a5ca26dfaa30585ac99363f4a25494365e4fdb5c79
SHA512 34b6cae127f23f79c19fb00812dc36df559c41fd24beaa4e892fa9a125c41e777b70c32e44182899766d7a8836592288fb93ceee3dc2caa7179beccbd7782f0a

memory/3056-18-0x0000000000990000-0x0000000000A12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 04113afab96ff36e7da4cabf336079cf
SHA1 2ab6a01f123c1ef4227cb134612749b67a237bf6
SHA256 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16
SHA512 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

memory/1964-21-0x00000000008C0000-0x0000000000942000-memory.dmp

\Users\Admin\AppData\Local\Temp\ctfmom.exe

MD5 af0e368678e854c1affcd213f727332c
SHA1 4358a0a557826c8092df94d1ccf1052c64270cd4
SHA256 c6df5ad3862c067b2562b7c7f0bac1acbc32b8b30081bd44288f052e1e81a672
SHA512 7cba08fac5223b89d6156396ddda8c224ae3ccfc28fa73f887387463942202a1f3a7379674327b71b7faf2eb017011f891abefbbf5b8059f13b6c56b4636ca26

memory/1964-26-0x0000000003C10000-0x0000000003CB1000-memory.dmp

memory/1964-29-0x00000000008C0000-0x0000000000942000-memory.dmp

memory/2132-30-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-31-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-34-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-35-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-36-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-37-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-38-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-39-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-40-0x0000000000BD0000-0x0000000000C71000-memory.dmp

memory/2132-41-0x0000000000BD0000-0x0000000000C71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 07:18

Reported

2024-08-11 07:20

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\897ba7f69e8c232460a4eeb448f42ce9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 121.88.5.183:11300 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
KR 112.223.217.101:11300 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3868-0-0x0000000000070000-0x00000000000F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sander.exe

MD5 b7a0a65898a731874f005e0f8bc2b12b
SHA1 bfa14bdbd994965a4a2c9c88ec084c6a8945c973
SHA256 9a87ee0ceb22002f7f81d0b1ce66f5bea306e62b45a284c4ae467cc335fbf9e6
SHA512 c64f82b63291cb9a78804f21e88ce6ce3ca7ae03a4e043c32716356e6f7c26773827a246cbe750b76b18004e73d464b4aa4a63970a0a487d6b6ce11c9ce4bd6a

memory/2524-11-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/3868-14-0x0000000000070000-0x00000000000F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 3eae18f40d79c58f0bf5dea664258d43
SHA1 55f519ca180cbc032aaf87629af9fc848cf89142
SHA256 084665b8ce84bcfd6e68c0a5ca26dfaa30585ac99363f4a25494365e4fdb5c79
SHA512 34b6cae127f23f79c19fb00812dc36df559c41fd24beaa4e892fa9a125c41e777b70c32e44182899766d7a8836592288fb93ceee3dc2caa7179beccbd7782f0a

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 04113afab96ff36e7da4cabf336079cf
SHA1 2ab6a01f123c1ef4227cb134612749b67a237bf6
SHA256 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16
SHA512 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

memory/2524-17-0x0000000000130000-0x00000000001B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

MD5 bf0a896d66cee92dd7404b3a19b25a5b
SHA1 a46ec07142c2307ef99e08a8d9f94280670f7b58
SHA256 ff8c9d0aa36561d022550d50a9b67c1a0cc224e669d642b53936a39b18486776
SHA512 41e51e9d1d4fef148d2053dd536f45ec9da14a31aa73c3fa0345c757027954226dfcdf8161bdf9842491efcbe02ef073512bb3cc9160013db81123c03205b69b

memory/2524-26-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/5116-27-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-28-0x0000000000970000-0x0000000000972000-memory.dmp

memory/5116-29-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-32-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-33-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-34-0x0000000000970000-0x0000000000972000-memory.dmp

memory/5116-35-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-36-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-37-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-38-0x0000000000B00000-0x0000000000BA1000-memory.dmp

memory/5116-39-0x0000000000B00000-0x0000000000BA1000-memory.dmp