Analysis Overview
SHA256
aacba6bf782d351e5b648a668d7b9ed06945b3bbd37a8e4a6a0a1cc487fb8c59
Threat Level: Known bad
The file 8d03bdd2005eb302490732881c6135aa_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 02:48
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 02:48
Reported
2024-08-12 02:51
Platform
win7-20240704-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\deafz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kosap.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\deafz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\deafz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kosap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\deafz.exe
"C:\Users\Admin\AppData\Local\Temp\deafz.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kosap.exe
"C:\Users\Admin\AppData\Local\Temp\kosap.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1828-0-0x0000000000400000-0x000000000048C000-memory.dmp
\Users\Admin\AppData\Local\Temp\deafz.exe
| MD5 | 25344e2ddaefacc3543c25828974e3ba |
| SHA1 | 1e90dffcbf812853c557a3b726323f38fa7f2c1a |
| SHA256 | 542d5d2b2ac83a16c7f8a62001d4c51e4d3f4091ad111811f57879439a84161f |
| SHA512 | 03c705c1d288d0e085033c60312b653ddc5901bc13680e984c97d276d6756f4ccfa7b46a7fb78cec921661b02463300a581fe527bb06e89f40c1178742402d7c |
memory/1908-16-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 01e9d6393ecd01325a3738c19b128bf8 |
| SHA1 | 45090026d7511220705d8fc459039447164cb23a |
| SHA256 | ad1447011de33fdf4a78e490f4d4da96fd64e37f687c6e52734ee0e5694e1cad |
| SHA512 | db4fcfc3769ceb1928e8dd550abe9844b204c7515762286702a290713566922edd837ec0dcea6bd0d2f6086ad6fc7e262662aee47ce9d5f2f6d36c7364e54359 |
memory/1828-9-0x0000000002C20000-0x0000000002CAC000-memory.dmp
memory/1828-18-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0b50ee5b20d250aa91c82bfd4072520d |
| SHA1 | 7c746f6a1006432b50d4b4ef1b4225ed5278abac |
| SHA256 | a0d46503a0d5ada2260762744876016d47679ae682216200db9320af96c54403 |
| SHA512 | 5a5c36401ad4925374d0d4cf7cc4ea0e4d8ec4f54aeb1647f18ffe4ec1ef10b4820371eb0c98e4b0de26ac76d64caf2748fd717c248fb9ca9bd50c30afae31ed |
\Users\Admin\AppData\Local\Temp\kosap.exe
| MD5 | 62e4afd81152299f22b1b4036862d7d7 |
| SHA1 | ea13c9b502583cce93da297e43d2c3dbef2471e9 |
| SHA256 | f9756c5e7836f549adf08b1a39c222f949a46f2286cedf328ce702f0d581ec16 |
| SHA512 | 035dc18b5cb8b45128a9f3ae4c1bd9a127fa36c9b83e14a5d3aa49f0e69c9db797997812880407ae7bd29b8459ebdfaa953372be23da217f4376b5c4fd948a92 |
memory/1908-26-0x00000000033D0000-0x0000000003473000-memory.dmp
memory/1908-28-0x0000000000400000-0x000000000048C000-memory.dmp
memory/788-29-0x0000000000CA0000-0x0000000000D43000-memory.dmp
memory/788-31-0x0000000000CA0000-0x0000000000D43000-memory.dmp
memory/788-32-0x0000000000CA0000-0x0000000000D43000-memory.dmp
memory/788-33-0x0000000000CA0000-0x0000000000D43000-memory.dmp
memory/788-34-0x0000000000CA0000-0x0000000000D43000-memory.dmp
memory/788-35-0x0000000000CA0000-0x0000000000D43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 02:48
Reported
2024-08-12 02:51
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kaher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kaher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fyqor.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kaher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fyqor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d03bdd2005eb302490732881c6135aa_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\kaher.exe
"C:\Users\Admin\AppData\Local\Temp\kaher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\fyqor.exe
"C:\Users\Admin\AppData\Local\Temp\fyqor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/8-0-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kaher.exe
| MD5 | a24fb7e70303535b7ffce3439df1980b |
| SHA1 | 078490ec08d9f040bc9e9673b7626b2b4e63e06b |
| SHA256 | fc7e7c63ab43f312dbdbd0eccce1534bf2b47ac39fe34e75817246413d519028 |
| SHA512 | 61bb5537de9de26ea52d9a8aa83a44ea9bce4f60c127cb11e0795c59884743f4bf182f94311b996141ca7147bc5cb1f24daa9c6ff9e8638740f45543e74f9a78 |
memory/8-13-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 01e9d6393ecd01325a3738c19b128bf8 |
| SHA1 | 45090026d7511220705d8fc459039447164cb23a |
| SHA256 | ad1447011de33fdf4a78e490f4d4da96fd64e37f687c6e52734ee0e5694e1cad |
| SHA512 | db4fcfc3769ceb1928e8dd550abe9844b204c7515762286702a290713566922edd837ec0dcea6bd0d2f6086ad6fc7e262662aee47ce9d5f2f6d36c7364e54359 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8688095804788d14fba571d683a8b28e |
| SHA1 | deb4456b1dc327e7ab45eb15e334065ae6f2f0e4 |
| SHA256 | b177bbd27ef844ca7a62755df04e0dd1ac1896c413f248efdaec7ad76b55b403 |
| SHA512 | c623ad152bfb38f6c56870d95ab6268bf9f597a533040a9b34abadad91556c9510bd6b06bbd2acc8f6ebd8f0735ab03ae9ce11cfb898f87378bb5a5052c45475 |
C:\Users\Admin\AppData\Local\Temp\fyqor.exe
| MD5 | 28408265d3b8d449085166cc07ace09d |
| SHA1 | 9b8d49ebdedc4400959f39c03ae879d5143e22ba |
| SHA256 | 18598a828dccff78021e046796a5b97cd1538a716014daac6a227959e83de04d |
| SHA512 | 851eae037f673f556c8c399a058595a5de7641c14769fb68e4ce8cb3b4849c1d74d2731e478d81831cc31c7a80cd578ff77930531dd64b10086aeb3d2b53a957 |
memory/2116-26-0x0000000000400000-0x000000000048C000-memory.dmp
memory/4964-24-0x0000000000410000-0x00000000004B3000-memory.dmp
memory/4964-25-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/4964-28-0x0000000000410000-0x00000000004B3000-memory.dmp
memory/4964-29-0x0000000000410000-0x00000000004B3000-memory.dmp
memory/4964-30-0x0000000000410000-0x00000000004B3000-memory.dmp
memory/4964-31-0x0000000000410000-0x00000000004B3000-memory.dmp
memory/4964-32-0x0000000000410000-0x00000000004B3000-memory.dmp