Analysis Overview
SHA256
2ea057273f648a97cad107ac27aee3c63899117c66b0760d56574c69d8b9f218
Threat Level: Known bad
The file 8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 15:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 15:22
Reported
2024-08-11 15:25
Platform
win7-20240704-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cocyj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biojh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cocyj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cocyj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biojh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\cocyj.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cocyj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\cocyj.exe
"C:\Users\Admin\AppData\Local\Temp\cocyj.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\biojh.exe
"C:\Users\Admin\AppData\Local\Temp\biojh.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp |
Files
memory/2056-0-0x0000000000E00000-0x0000000000E7C000-memory.dmp
memory/2056-1-0x0000000000100000-0x0000000000101000-memory.dmp
\Users\Admin\AppData\Local\Temp\cocyj.exe
| MD5 | bc48658fca5ab1531b1d1559226d489b |
| SHA1 | ba730f797c765978fc772c5fa20a99b32be6d913 |
| SHA256 | 2aff5c0afb20c22b4c7084a601f5c8b9017cea8de07d1b10bcf9e3ade186ee01 |
| SHA512 | 92a01b9d8b607d5d11638bb7a83c3a0e62ee9f47e14a902f8b8a57773dfa9f4c1f26aec43228a654a7c0b730a0ffc3b023a26299d9440725fcde5dd3652dc47d |
memory/2056-7-0x00000000025D0000-0x000000000264C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | dca0f091061b32641ab2509e3b92ba36 |
| SHA1 | 2ca31d821c0e853dc3eb8e840f831207b88ee222 |
| SHA256 | 3b16435a3148c8ad99338dad637cbcdff6b93c5deb1558cf1c39e1c3eb007138 |
| SHA512 | 390daf592b130816fdf881a92cb1fdc72956311b4408a765e008fca23ae1905c7a834458e15e452b28d398b92707778236c5ba4ae7b9957e468fae1fff9ed2ff |
memory/840-19-0x0000000000140000-0x0000000000141000-memory.dmp
memory/840-18-0x0000000000A70000-0x0000000000AEC000-memory.dmp
memory/2056-21-0x0000000000E00000-0x0000000000E7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7aff3771f2389fcc256a6afb85e1b33b |
| SHA1 | c58ea3bd962ad070d8bd318f593ba5eda99e66e9 |
| SHA256 | bd45d26040e8a6f3425872d83e7b9b54d4b5556ddc2e2efa736b07018c56c87e |
| SHA512 | f3e731627f4d9ae10e682df1a058203c375ca307ca7a179f35fb2e76e6ee24e30bdbecfdc0369842129f46f72d891675632350f1d3cd38ca085de44777690721 |
memory/840-24-0x0000000000A70000-0x0000000000AEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\biojh.exe
| MD5 | e577a4b186075730774719b1b2b51275 |
| SHA1 | 623d4ae92026b62f7e48896956f9e0f3c76b28eb |
| SHA256 | 28cb14065c53c77286e3ca1bd07dce617014c12de1369dfc7caa0df99df2f7d3 |
| SHA512 | 4e5192d8b3ebf78ae4860c5c21db956ee090b55a165b01004eadaa80124492332c7c3ba09f998d31f54ae12abcd497d0dcf6b919644c619c0c783543b8a02dde |
memory/840-38-0x0000000003710000-0x00000000037AF000-memory.dmp
memory/1996-42-0x0000000000400000-0x000000000049F000-memory.dmp
memory/840-41-0x0000000000A70000-0x0000000000AEC000-memory.dmp
memory/1996-44-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1996-45-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1996-46-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1996-47-0x0000000000400000-0x000000000049F000-memory.dmp
memory/1996-48-0x0000000000400000-0x000000000049F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 15:22
Reported
2024-08-11 15:25
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ciqor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciqor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\romec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ciqor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\romec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\ciqor.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ciqor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ae40f2dad16dce27560b7a9d43fcb32_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ciqor.exe
"C:\Users\Admin\AppData\Local\Temp\ciqor.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\romec.exe
"C:\Users\Admin\AppData\Local\Temp\romec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| KR | 218.54.31.226:11120 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/3404-0-0x00000000001D0000-0x000000000024C000-memory.dmp
memory/3404-1-0x0000000002920000-0x0000000002921000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ciqor.exe
| MD5 | 499ea1a9e4baff0f9410c6d64705d26a |
| SHA1 | 437eb14e3b25be632ca13637885cb0bd34f281e8 |
| SHA256 | b79eaa74c02e15051c7fb3a9e4b7c48c3f66946a966a2d88be704364a9c991da |
| SHA512 | 6f78063bd88f4abdc7747833d169d1dd6700b009e27add5c491a8b3d54c0dfc9c23586acae86e492f88fe357c00085999d5bc26acec1f091f377e74c9948f46f |
memory/4676-13-0x0000000000E10000-0x0000000000E8C000-memory.dmp
memory/4676-15-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/3404-17-0x00000000001D0000-0x000000000024C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | dca0f091061b32641ab2509e3b92ba36 |
| SHA1 | 2ca31d821c0e853dc3eb8e840f831207b88ee222 |
| SHA256 | 3b16435a3148c8ad99338dad637cbcdff6b93c5deb1558cf1c39e1c3eb007138 |
| SHA512 | 390daf592b130816fdf881a92cb1fdc72956311b4408a765e008fca23ae1905c7a834458e15e452b28d398b92707778236c5ba4ae7b9957e468fae1fff9ed2ff |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 47e89dde7478dfbc194d6453b9e3dede |
| SHA1 | 100ee93b10d5e105f6b41d02c055e21a2db4ffcd |
| SHA256 | 8669a6c6a04af6603b335074ed7a045ab9a5a84c1be602a653486359ff0c0c6e |
| SHA512 | a39b9d32c40a8be7b4d63ca9153e72fac3a453b06445c8983e881d15efdb01580ab9e0eb3d94d8cb0243b3ce6b617ef6638087a0d1867a01c532b138c0081750 |
memory/4676-20-0x0000000000E10000-0x0000000000E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\romec.exe
| MD5 | 76818e1ecae5ea0a067508ef43cb4ff4 |
| SHA1 | 0e008768fe9a61a098f8c06925cc7eab0188fdd6 |
| SHA256 | ee7fbe327eec02614fc324da8a8a5a6f5bc6560a0958dff7c116c00593344035 |
| SHA512 | 774011dec7bdb47bde3992ecab8083a093284f6491f141e415d52bbc8e04c92aff6418bd1d20bd79c8c6c67edff871a5a5a17de941488f94a7ff2c7682e2a157 |
memory/2700-37-0x0000000000400000-0x000000000049F000-memory.dmp
memory/4676-39-0x0000000000E10000-0x0000000000E8C000-memory.dmp
memory/2700-41-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2700-42-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2700-43-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2700-44-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2700-45-0x0000000000400000-0x000000000049F000-memory.dmp