Analysis Overview
SHA256
f54c2a4f55a43229e44c612f872a9df51e02eadcc3b3b8fb9aa114933a325441
Threat Level: Known bad
The file 9205a035bf727251b6a7673b6866c34a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 06:50
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 06:50
Reported
2024-08-13 06:53
Platform
win7-20240704-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ajrel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bexipy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qirob.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ajrel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bexipy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qirob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ajrel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bexipy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ajrel.exe
"C:\Users\Admin\AppData\Local\Temp\ajrel.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\bexipy.exe
"C:\Users\Admin\AppData\Local\Temp\bexipy.exe" OK
C:\Users\Admin\AppData\Local\Temp\qirob.exe
"C:\Users\Admin\AppData\Local\Temp\qirob.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1940-2-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\ajrel.exe
| MD5 | 49a4f8847997d2ecca635a4299f8b1da |
| SHA1 | 42e73f8691cf4efadf4ae37f38a3b6a3459a6594 |
| SHA256 | b04114def05b2fd8d875179f6f3dccfd9978c81f3f3823859ad3684d754e394f |
| SHA512 | 1cebdb8227475ecde9f8746b2f1630221e143e2164dc0fd9e4580c637dc7568abfdc9a26499c072877c8ea750b631883fa24bfa299252b80c9cc019040e4c6e4 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4852f8a608eeed50e2c0e9661751767e |
| SHA1 | f4cddc558c9af2d3bf24cd377cfa5f043313386b |
| SHA256 | 1747c0207317558853fb28b7f8cfdc459eac5b2e841339a9d5b365016a4687a1 |
| SHA512 | ae1c40d528f9f69f56190b9a304b8a9e416caa7ddf342223a346ce6f863660e65d6026611f0b07865b8739185e0b92e1b79d279b72e97a6a1cb9de6ff6763994 |
memory/316-16-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 96d700d3ae0b0da73eaf8e6615e9d04f |
| SHA1 | 8c1456721e2b1f6ed2a915b7c4d8f23be6dc2919 |
| SHA256 | 12ba1fc6233e07c9cc9099a46186b9cd6c6bb074a6193d7bbe69e63450284626 |
| SHA512 | 7dc008ee244e77014c2fe3aa2317118bd87497fff9a28838df32bebbd9b9a18576bdeb6e11505463b401627463965295ea2652fde3037ae42dcb32c70d5b10bc |
memory/1940-20-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bexipy.exe
| MD5 | 77de69345f7749cdad42058881ecf2e2 |
| SHA1 | 83c12651419fd1bbc4b4076bb41731954d429021 |
| SHA256 | ca80e5307b2b4c19510f8d702278a0316cfb945f32dac174dcda343818e69b9c |
| SHA512 | 6e9561b118cad7076a79331abfc413ed80bc9ec40704d1b63815341a2a04c1bd9e02d680eed714557c7621c6577dd891ef518f4747f5710e39916cb5daa5489e |
memory/2168-26-0x0000000000400000-0x000000000046E000-memory.dmp
memory/316-27-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\qirob.exe
| MD5 | 8cbb7ffd88bbe1661fda75a7b7261cbd |
| SHA1 | d83fc54e1e88175eb52b448dd6ae2562ceecbe7d |
| SHA256 | 0e0b0b66447e817bacbf88589903bb0d60582db2cb6f7476bcea3852fe4a61a7 |
| SHA512 | 2da3c65504e9b5093d6da4bdc12c04475a6fab558b412d3adcee13c677a15b3c836e202a6e5862e9e58db493ba8553f8c60d7155ca9d6d3606fe8cb437d22357 |
memory/2168-35-0x0000000003030000-0x00000000030D0000-memory.dmp
memory/1980-44-0x0000000001250000-0x00000000012F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f390a382077a9e3dc1c9539c0ca4747e |
| SHA1 | 137ae28093a106fb32d37cd6073c0e911ba45f24 |
| SHA256 | 293fbd6c74e6d0167f4cb80f5594e0dee42de9f21d7ed33a9342674c873a373c |
| SHA512 | 76ef7be0254c710578c639867a1502206313315a779b4e5f2ff69ab96287a9c268b9a7296cc84fdf7641ff5cf2fa593c94829370a27e7f1f933b0dd6fcf72564 |
memory/2168-45-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1980-49-0x0000000001250000-0x00000000012F0000-memory.dmp
memory/1980-50-0x0000000001250000-0x00000000012F0000-memory.dmp
memory/1980-51-0x0000000001250000-0x00000000012F0000-memory.dmp
memory/1980-52-0x0000000001250000-0x00000000012F0000-memory.dmp
memory/1980-53-0x0000000001250000-0x00000000012F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 06:50
Reported
2024-08-13 06:53
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uzegl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hypody.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzegl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hypody.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokip.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uzegl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hypody.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tokip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9205a035bf727251b6a7673b6866c34a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\uzegl.exe
"C:\Users\Admin\AppData\Local\Temp\uzegl.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\hypody.exe
"C:\Users\Admin\AppData\Local\Temp\hypody.exe" OK
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\tokip.exe
"C:\Users\Admin\AppData\Local\Temp\tokip.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/3992-0-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uzegl.exe
| MD5 | 181264c5e9a4409e6153f160fd9eac8b |
| SHA1 | a6a0470e08cd79362dee3a293ede16d5b9467961 |
| SHA256 | fcd06544071381e7f1729bf12e72a42ef184caad2f3e3fb74aebdb7c86e8b06b |
| SHA512 | 2f1c9c01a5ea94aa83fcaf9c860e7ee75852eddbc582cbf22cc1e44bbab6df47d032dc93cae309cec49abedacb70102740e561dc42510569c86d19ead4cf5dc2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b6e885f160cf6a0b502d1498e57c20de |
| SHA1 | 8ec8a9b0a937c442ef3b2ddf0158fca6d8d73a5c |
| SHA256 | 60bad1770ca7bc85fe1f8a6ba2c91fc1b38a50ff0c0d87672566ab6f6d1e5fac |
| SHA512 | 5a73a61cd073c8e5d5a3b0907f2e34403a00701bff9e94338cd3e8a68c2e8cf5f14b7ad59572633e2b76edd00932d61718898d90809976081d0aa522688da6b3 |
memory/2916-14-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3992-15-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 96d700d3ae0b0da73eaf8e6615e9d04f |
| SHA1 | 8c1456721e2b1f6ed2a915b7c4d8f23be6dc2919 |
| SHA256 | 12ba1fc6233e07c9cc9099a46186b9cd6c6bb074a6193d7bbe69e63450284626 |
| SHA512 | 7dc008ee244e77014c2fe3aa2317118bd87497fff9a28838df32bebbd9b9a18576bdeb6e11505463b401627463965295ea2652fde3037ae42dcb32c70d5b10bc |
C:\Users\Admin\AppData\Local\Temp\hypody.exe
| MD5 | e8cf4f696f290521b8cfd9e66c789ebe |
| SHA1 | e6e1ea40ae66cf09ee32a2c1ddce40720efd69f8 |
| SHA256 | 3262fe8d9fe382c4f2b6194385b503949a8fe6f24bb8940abed5c48300484abd |
| SHA512 | 4e56f4daa51941fd8f341c1717c18925be3e068a2b0271c71ef88ebab42aceec52145c955d9afe63b667e691792cbc87da3b2d5206198250a81f57a93664de4b |
memory/2916-25-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4400-26-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tokip.exe
| MD5 | d0cf130be87f362ef7ea56af9edf736c |
| SHA1 | a0accb4a10d63bc22a8145ee5c8babf9ee61c0cb |
| SHA256 | 12b7ccc3062b07ea827ffe4a4dad14304ed47ad419c6e7147b5318cc5ed19dc4 |
| SHA512 | e7162c26235c485a9f5eb7c263705cf4c0e92dc99e68b5c30a54be152ffb2c18b63b9ee7a61056fbe4d3400a7ad123427a40a2878a1f78ce99c3a0be9ff26a41 |
memory/1584-37-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/4400-39-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 7286e8249d63ec9d0ec273f41263157a |
| SHA1 | 0448fb8b8aaa03ad92fdec0a6658b91177718536 |
| SHA256 | 34b23d76a379a8dd20f7fdb7b7e025cc6e43c85f2cee336f7fc1a0d1fa3937d0 |
| SHA512 | 5f4eb273e6d7b2c47b8892ca04e8490a44b875bc7172e015cfaa3e498b294eda71abb6b9da943a6d56e49e18e2babe45c0b06a9620b7471cfab42f6360fd3de6 |
memory/1584-42-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/1584-43-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/1584-44-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/1584-45-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/1584-46-0x0000000000970000-0x0000000000A10000-memory.dmp