Analysis Overview
SHA256
52b25a73fcab419e2ae5234663e4358d853fc2cb6429283863185daf3e08bdd2
Threat Level: Known bad
The file 8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
UPX packed file
Deletes itself
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 16:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 16:05
Reported
2024-08-11 16:07
Platform
win7-20240708-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oldym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lywys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oldym.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lywys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oldym.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\oldym.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\oldym.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\oldym.exe
"C:\Users\Admin\AppData\Local\Temp\oldym.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\lywys.exe
"C:\Users\Admin\AppData\Local\Temp\lywys.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp |
Files
memory/2756-1-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/2756-0-0x0000000000280000-0x00000000002FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 67fdeb47adf6a40e887b70e8012172e0 |
| SHA1 | 8d2d2823f025ac2b3905b494c3a7b41d261f2ba0 |
| SHA256 | 6eae42eeda35f8a23ddb823ec4a233e4b0588c0893e5bb23738dbd1b3adb7224 |
| SHA512 | 5f418f6919f87c58dc77f814ef881c0280b721aac472f7fb177dc4adf7d60d63216bf98136fe5be7e2267badcb8188cd00174f7d0a19c5151db368e54aaddec2 |
memory/2848-20-0x0000000000E00000-0x0000000000E7C000-memory.dmp
memory/2848-21-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2756-19-0x0000000002400000-0x000000000247C000-memory.dmp
memory/2756-18-0x0000000000280000-0x00000000002FC000-memory.dmp
\Users\Admin\AppData\Local\Temp\oldym.exe
| MD5 | f46f666f2554e2897642d7487320e354 |
| SHA1 | e4d42f0be7606e97d39d7eb97a4da9515f8fc861 |
| SHA256 | c76db606c96f6d88c7f816a0a63993618976aab7f251409e6ea215affc8e63f0 |
| SHA512 | 93c1e89d981d99ad2d5ee6335da7d8a12875298385208ae2842d098e12c5586c9d3a7342bf60930faf71812543220f3a178b7e6bf62c45917a6096576cfc9a8f |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4df0601d7463bc2b6edc01a07a65952 |
| SHA1 | 6de198cbd385577bc1a994753f9d709163e4000b |
| SHA256 | 48a830322f232bd76df0cb8e2bfb6996e98c7ac88febc3dd10c21c886a8c633b |
| SHA512 | 5c164e0bd478fb7e7f290304c3e7bf7ebae6bee5b4a9664020436d8e387c191a2ebbfa4e71f63c4abc23d7e1bb2638c619773e352da3ac7053df77b15529838d |
memory/2848-24-0x0000000000E00000-0x0000000000E7C000-memory.dmp
\Users\Admin\AppData\Local\Temp\lywys.exe
| MD5 | d665067c7d0244f3214e5800ad660ef0 |
| SHA1 | 8340769f96e7f6afc566e7599921915250568ad3 |
| SHA256 | e3d89fccee30ff596effd257ab0bd643e8260a35762287a3a93bbf13f76608e8 |
| SHA512 | c11af1dfa18e41db344befeaf3bbf8a0f5837f337499cb60b8c2b72eb1809def2d316526b8a0e8cdbe6d53981bfb73ba39b4cae54265e915e1fe51cbd7b26e08 |
memory/2080-42-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2848-41-0x0000000000E00000-0x0000000000E7C000-memory.dmp
memory/2848-38-0x00000000033F0000-0x000000000348F000-memory.dmp
memory/2080-44-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2080-45-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2080-46-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2080-47-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2080-48-0x0000000000400000-0x000000000049F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 16:05
Reported
2024-08-11 16:07
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rylef.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rylef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\icluh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rylef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\icluh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\rylef.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rylef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b04b2cc0f3eda309e6089f8c068510f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\rylef.exe
"C:\Users\Admin\AppData\Local\Temp\rylef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\icluh.exe
"C:\Users\Admin\AppData\Local\Temp\icluh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11120 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/652-0-0x0000000000AB0000-0x0000000000B2C000-memory.dmp
memory/652-1-0x0000000002C70000-0x0000000002C71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rylef.exe
| MD5 | beb6bd058ed0788e596bb83e1618eb3c |
| SHA1 | fe115a081b07867ac8dd8366047a7cfd1d67c801 |
| SHA256 | e1aea83ebf76e840ea9a2bec2aee3a8cf92d3bf99506284bd9ccc437942022a6 |
| SHA512 | 60098b22cb1c146d77f137cf6413654718b97975c82ffed7a31e27fc457bd6de1ccf8fc21a747cb7118c74dc7a2cdde5d8639c7740a352bab832753cd57511e7 |
memory/2684-15-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2684-14-0x0000000000EF0000-0x0000000000F6C000-memory.dmp
memory/652-16-0x0000000000AB0000-0x0000000000B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 67fdeb47adf6a40e887b70e8012172e0 |
| SHA1 | 8d2d2823f025ac2b3905b494c3a7b41d261f2ba0 |
| SHA256 | 6eae42eeda35f8a23ddb823ec4a233e4b0588c0893e5bb23738dbd1b3adb7224 |
| SHA512 | 5f418f6919f87c58dc77f814ef881c0280b721aac472f7fb177dc4adf7d60d63216bf98136fe5be7e2267badcb8188cd00174f7d0a19c5151db368e54aaddec2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 493307a3ed18a6e0dd24b32fd0eef099 |
| SHA1 | 88793f25383bc581069c73c29c0c82e951eeadda |
| SHA256 | 83d60312a29858435762d13b28000d94ab17f6b4719d912d9977d1364c3bbf0e |
| SHA512 | ce8a3e839aa2d330ac491d955591502091a082434595f7a0cf2bf306b898374fb8d2a3a7b26fa1f9f1cb8a8d52d0b263b0b7dd365278c9df076a97aeff814af5 |
memory/2684-19-0x0000000000EF0000-0x0000000000F6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\icluh.exe
| MD5 | d106ccbb1907a7cf86077b2e1ba6871e |
| SHA1 | 80a5ab50bc399f2fb852c37acc964d4fb46cffa2 |
| SHA256 | e34948d99cbe9690d04ada80835a627d898f027dc2bf5ed1ae4b7214243ff2f9 |
| SHA512 | 700dcb5290284ef257185c9bc5d8293800f03b02d30fb82e33dff20825d0ed1232e85e999336f378a9e08592423e7b7df7bf33a163430eff4cde795621c0c5fb |
memory/2684-37-0x0000000000EF0000-0x0000000000F6C000-memory.dmp
memory/2992-38-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2992-40-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2992-41-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2992-42-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2992-43-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2992-44-0x0000000000400000-0x000000000049F000-memory.dmp