Analysis Overview
SHA256
c0d0a870944ec535552a7ed1b74b1f5fb4eb40c71bf3f66a458b6606bfc9f37c
Threat Level: Known bad
The file 92067e793385aa6062f79d58308c8b36_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 06:51
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 06:51
Reported
2024-08-13 06:54
Platform
win7-20240708-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nezyl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taazac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyutn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nezyl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nezyl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taazac.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\taazac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qyutn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nezyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nezyl.exe
"C:\Users\Admin\AppData\Local\Temp\nezyl.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\taazac.exe
"C:\Users\Admin\AppData\Local\Temp\taazac.exe" OK
C:\Users\Admin\AppData\Local\Temp\qyutn.exe
"C:\Users\Admin\AppData\Local\Temp\qyutn.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2324-2-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4154c5624c0c2bcf5d75c9168c39ab14 |
| SHA1 | 90e84927bd4e23d6215d9a8b5eebefa399cb7641 |
| SHA256 | 9ba88ade46ea3660b65f77019e9dafad77ee812c0339959ac9c048d0c59459a9 |
| SHA512 | 04fd42c4c7c5d80f9d7dc9844cf565b2efe214246eee8b6493881c6a45634592917f6770f1d4864e3639af6edbed0d4fa842989ed36296c3efbb2dfb8a84ccd3 |
memory/2324-13-0x00000000021C0000-0x0000000002228000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nezyl.exe
| MD5 | faa931e7ee98bb5eb5f8cf6a55c3b322 |
| SHA1 | 49c3487296b57f84c32224aaf0ea83095a9a8acf |
| SHA256 | d096edb54837f6d224fdf340a3e465d1bab4cf6870ebea2369052b3826355379 |
| SHA512 | da508d91eaba0e866805f55805d292787a63ac95aa8b853fd57e6a331d6d1fef09b54812736aac0cbc284adb83d01e337c49d6544acca078abee11bdbf31680a |
memory/3020-21-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f26792c501b4ed72ad62390d350d130f |
| SHA1 | 24446ad69b84820c1faf5e91beaa2fc3713a59aa |
| SHA256 | 4d09a424d930d58c10ccad25b236a4a499c432d4544f0ac99a8ef148e39f3073 |
| SHA512 | 21ab4ab585320113a1a3a422951d9bff050f48e24b7b56094ad68575577ff4903d2487189f358e023a3cd85416c00656cab507641b42bc73508a923d1b8ef48c |
memory/2324-12-0x00000000021C0000-0x0000000002228000-memory.dmp
memory/2324-25-0x0000000000400000-0x00000000004679C5-memory.dmp
\Users\Admin\AppData\Local\Temp\taazac.exe
| MD5 | cada88509eafb9ea8e181d44b6e758b9 |
| SHA1 | 6db54f8e81bf4745168f948a0fe574ebda58c2da |
| SHA256 | d9acd6dfbe6e8b7aece96305df5a23f348df7f0be9f7dda85a7c8a0ec23fbdbb |
| SHA512 | a5655c5d28ae05f32512b69ec5509bbadfedcd0c9fe5b35fccf008608daf4bdc6ea15387bfa960cde0d02c5f7430e8f094011161bdb7944b3e5d9573d706d7e0 |
memory/3020-36-0x00000000037E0000-0x0000000003848000-memory.dmp
memory/3020-35-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2804-37-0x0000000000400000-0x00000000004679C5-memory.dmp
\Users\Admin\AppData\Local\Temp\qyutn.exe
| MD5 | 18eae8769006703d1dbd0b514820a62d |
| SHA1 | 7734880c6f06bc0d383e8b6802f1b1fb96582ea2 |
| SHA256 | 6477b3a86400e7dc8326c0473d1948c54ef07d5c9f63b790041ed84bcd4460db |
| SHA512 | 6a22d1daacc35e5aad548e35217d4208d66a120d83ec5b9fbf592581b8163acce408498f19117fcf98b950f858895b8a36fa4b71a5b443cd9370daac1018f5bc |
memory/1340-53-0x0000000001340000-0x00000000013E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ba1bbf41f7cf88d200af9ba948bec9b2 |
| SHA1 | 789dbe00467e5de5cccc0900d099914534449cc5 |
| SHA256 | 5dcea436656f50fc2e72bd20079dbb8facdf1c0d183a0b694ca23309b3b3793a |
| SHA512 | 39bec5e2636260de6c23c2dc1092fe0c9c2b0addc0dcfdcdcae63d2fa97cb0f38c4c09201e05e9d1a3680eed265dbdb788c6aa273c5e4cb782eb14911864c7f2 |
memory/2804-45-0x0000000003C70000-0x0000000003D10000-memory.dmp
memory/2804-57-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1340-58-0x0000000001340000-0x00000000013E0000-memory.dmp
memory/1340-59-0x0000000001340000-0x00000000013E0000-memory.dmp
memory/1340-60-0x0000000001340000-0x00000000013E0000-memory.dmp
memory/1340-61-0x0000000001340000-0x00000000013E0000-memory.dmp
memory/1340-62-0x0000000001340000-0x00000000013E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 06:51
Reported
2024-08-13 06:54
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\niqay.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\loufog.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niqay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loufog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mydad.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mydad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\niqay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\loufog.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92067e793385aa6062f79d58308c8b36_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\niqay.exe
"C:\Users\Admin\AppData\Local\Temp\niqay.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\loufog.exe
"C:\Users\Admin\AppData\Local\Temp\loufog.exe" OK
C:\Users\Admin\AppData\Local\Temp\mydad.exe
"C:\Users\Admin\AppData\Local\Temp\mydad.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/4120-0-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\niqay.exe
| MD5 | 339311e97f04e44990e03d72b828948b |
| SHA1 | d387737c171deb2ec1e0557b877fa53c1f69ed32 |
| SHA256 | b40a350226ea7b8c496e0034531c5ec0baf5eb5c27b68cda00b04dd93e4a3bd7 |
| SHA512 | 50c35de547aefdae9af7c65f4bb8d6102363ff70332b31ffef1eadf29bb01021858dd784dfeefa6ea864ea4833ffd22684daa95cdb11d8cdd6ceac154f19d177 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 17d7fc6993a7af0e143cca66e52c7893 |
| SHA1 | cb81e2a9ee5278be8de3c742e60cdf2b336db2cd |
| SHA256 | 183a5bd4d8b45d5129392c6ee3407a327271fb0e12fc20a23720d086b352088f |
| SHA512 | a2d8845aea4fc0defbf289a8b3e090326f4008409f6261521f6b289ad5c1ee2989e0a51b11a6e88240065b2115f4a383a6d1cf8f0f422c6ab08d344e338aa9d3 |
memory/4812-14-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/4120-16-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f26792c501b4ed72ad62390d350d130f |
| SHA1 | 24446ad69b84820c1faf5e91beaa2fc3713a59aa |
| SHA256 | 4d09a424d930d58c10ccad25b236a4a499c432d4544f0ac99a8ef148e39f3073 |
| SHA512 | 21ab4ab585320113a1a3a422951d9bff050f48e24b7b56094ad68575577ff4903d2487189f358e023a3cd85416c00656cab507641b42bc73508a923d1b8ef48c |
C:\Users\Admin\AppData\Local\Temp\loufog.exe
| MD5 | b1f60abe8bd4476c252cf6a7e227f8a3 |
| SHA1 | 998020f782e71fd8bec9d3461e10f660efe69052 |
| SHA256 | 127cf8c935199d8762200ab5081b72736535254f8502c2a21a66fad535deb440 |
| SHA512 | f64d267ccc4f5dc17308fbe34cfefd1d11234efeec5b70351270069eadbc1040aab46713e984084346c3684997a80805ef36fa4463edd1eae020a37a7cd334f3 |
memory/2996-26-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/4812-25-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mydad.exe
| MD5 | 1380a167038eeb5dfbca35032bd587b8 |
| SHA1 | 58638ff62bf12fbeacda73bb737f0e686d60d743 |
| SHA256 | da122e195cb0dbcf45d7452821932745d402c0a1cfd9356c6256ea1dbd11e161 |
| SHA512 | cac175e524a9bdc9c5e1ac6e03bce34c5a41a560ee15d5038d5f49f2e568adb84d58dabb39776e928c8a7dce205ed7356365aef0c2a404256a40666f06306d43 |
memory/736-36-0x0000000000750000-0x00000000007F0000-memory.dmp
memory/2996-39-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 7e1597346193a16cf5fa5662786b9513 |
| SHA1 | bf44d5d9ba11e1615d03a711f9be271b2d2034e7 |
| SHA256 | 22a464a948e9154e0b52ea5fb248c13b97b345337d847bd679e17b5341f282b9 |
| SHA512 | 6a9e92d06e5bffcb117344046a5c20692a39cbc56f2905bf96605867cb50a36f770aa6d5217b5fe223f0d106a24814352e5c89c58f7f0ab6df098c0f6fc55b21 |
memory/736-42-0x0000000000750000-0x00000000007F0000-memory.dmp
memory/736-43-0x0000000000750000-0x00000000007F0000-memory.dmp
memory/736-44-0x0000000000750000-0x00000000007F0000-memory.dmp
memory/736-45-0x0000000000750000-0x00000000007F0000-memory.dmp
memory/736-46-0x0000000000750000-0x00000000007F0000-memory.dmp