Malware Analysis Report

2024-11-16 13:28

Sample ID 240812-l37a9swdmp
Target 8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118
SHA256 dc7257b4ba127743bb0096752f8872bd0621c9285379642465b2c10f366f0ca7
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc7257b4ba127743bb0096752f8872bd0621c9285379642465b2c10f366f0ca7

Threat Level: Known bad

The file 8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 10:04

Reported

2024-08-12 10:07

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2652-0-0x00000000012F0000-0x0000000001325000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 58d2175ebc74852bddcfb5b6b6866431
SHA1 cfca38d0ec7391c159ca8d16719c2d43754eaf38
SHA256 a539879fcb03a9b84b626b561a3c18c673bdf8ca3725e6bcfe366275b62995d7
SHA512 072604c46ae01295689f71b60c4ca93ad4ec5d3bf05f4400c1beb3dae3a3506cb7401c62c5534395f1c7b7fe3bcb41def6c48f73da549d9f004140ffc6ea7ab0

memory/2652-16-0x00000000005F0000-0x0000000000625000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 2e2d2d65eac339522df4147f53fc1777
SHA1 518922d33942c80fdbdee6a9bdc248d69d471612
SHA256 f1ef79c7eefe129b7ba57cf3a0bca2fa32ec4956121be90df761813b74bb143d
SHA512 0836a49752e1d16547462ee3742689f52ffd974da306b9645ab728ce4b1055ac267411d26fc81ad34afb4cdc8e4c42e8b1e47af205be67878ae9ad74496b1135

memory/2808-19-0x0000000000AB0000-0x0000000000AE5000-memory.dmp

memory/2652-18-0x00000000012F0000-0x0000000001325000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/2808-22-0x0000000000AB0000-0x0000000000AE5000-memory.dmp

memory/2808-24-0x0000000000AB0000-0x0000000000AE5000-memory.dmp

memory/2808-31-0x0000000000AB0000-0x0000000000AE5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 10:04

Reported

2024-08-12 10:07

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e5032f0d2aa4f8ef96335b037a29322_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/316-0-0x00000000007F0000-0x0000000000825000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 725810a354a8f405d150e4dd009d5c13
SHA1 ee2b4a2245d1c795bdb1f9d171c4cdeb72b6b035
SHA256 cc930f62e4f2e5ee53c2df6557c9cc8b575d516f86b3a08eba3a102f71f8a2bc
SHA512 832d98506e3dbd61bff6cfb3412b57141c639775657fefbad5995c8448ce668beb585f22a64e055f88cde13299e1a23c8e85803238fb591f1985d400f5fa4267

memory/3428-11-0x00000000001E0000-0x0000000000215000-memory.dmp

memory/316-15-0x00000000007F0000-0x0000000000825000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 2e2d2d65eac339522df4147f53fc1777
SHA1 518922d33942c80fdbdee6a9bdc248d69d471612
SHA256 f1ef79c7eefe129b7ba57cf3a0bca2fa32ec4956121be90df761813b74bb143d
SHA512 0836a49752e1d16547462ee3742689f52ffd974da306b9645ab728ce4b1055ac267411d26fc81ad34afb4cdc8e4c42e8b1e47af205be67878ae9ad74496b1135

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/3428-18-0x00000000001E0000-0x0000000000215000-memory.dmp

memory/3428-20-0x00000000001E0000-0x0000000000215000-memory.dmp

memory/3428-27-0x00000000001E0000-0x0000000000215000-memory.dmp