Analysis Overview
SHA256
5ac238e2930b64d9af7698882a8fd2eb0c0694f02291313ed04f28c1296f61e3
Threat Level: Known bad
The file 94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 20:39
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 20:39
Reported
2024-08-13 20:41
Platform
win7-20240729-en
Max time kernel
147s
Max time network
74s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mucoq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybugho.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mucoq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mucoq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybugho.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ybugho.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mucoq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyfoy.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\mucoq.exe
"C:\Users\Admin\AppData\Local\Temp\mucoq.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ybugho.exe
"C:\Users\Admin\AppData\Local\Temp\ybugho.exe" OK
C:\Users\Admin\AppData\Local\Temp\nyfoy.exe
"C:\Users\Admin\AppData\Local\Temp\nyfoy.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2328-2-0x0000000000400000-0x00000000004B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\mucoq.exe
| MD5 | 01527b75f303e6d9326062da08b25bbd |
| SHA1 | 668c3752f015b63fbb3c791271a059918c1a3146 |
| SHA256 | 646cf12f1ddc9e6727b6853c61364aa3f29887d90de1e226ca40ce62ca2a084f |
| SHA512 | 750e0cb82435cfbe53a0c76e4e68deb2be6abd3898d964a1179c2249dd1858c6cdabbfa677b87a919b12347f2f6d11b4146b56d9bb38592c48c39926c8c9d473 |
memory/2328-6-0x0000000002530000-0x00000000025E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | eb5116da67b4a0a0e5524e6459599ff3 |
| SHA1 | a01962783f3aa9fc6e68b54f3e079c881e65cf41 |
| SHA256 | ecef4e8b2af9b1e9aa5b4a7b9cf306379176188e70021a1f19f70a72b5859e61 |
| SHA512 | 8dc986f4aa2a7642d0624fe6cf09d404ffbe3fcebe7be8dc1705895100a31348bcb42da08bc5b3309a61b8f8afb083d384999d3ef84daab4e7be12447b7acf42 |
memory/2328-21-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 5c9b87a7c53a1ed58149e827512b17e3 |
| SHA1 | 95262ab8393610e53a5149ad8fe088f10b70e28e |
| SHA256 | 72b8a0f977544c76cb9474c60ed29470d944efbf51d4ad29d45b6af6c4355128 |
| SHA512 | ff2ecfe1d0911e2bed9e203a6f6469d6bd09a2c801712d40e0ca72fea1b9372b24702fd136b661248eed3ce18ec298b50ba25004f2ec9b9befab342d91a9b421 |
memory/2992-33-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2792-34-0x0000000000400000-0x00000000004B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\nyfoy.exe
| MD5 | 346bd140629313e5b71ec2a5732d6fca |
| SHA1 | bd3f86ff9f1114d6925b06ae0e1691d9d8be5eaa |
| SHA256 | e1d7397a597b94e2029b3d1252b255f1e2fb5a1c94f531105cb2cc1271f72f16 |
| SHA512 | 2bff28854c780054ad60be6b0768384a79694ba4fde1eb00de91271c56acbfcddff799142f45e7a97e5250e12f85f2455f2898162e9b09262deb4a8838c4816a |
memory/2792-42-0x0000000003BE0000-0x0000000003D76000-memory.dmp
memory/2792-51-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/3000-52-0x0000000000400000-0x0000000000596000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a157435640a10083c3c7b80bd79bd558 |
| SHA1 | d06c142bf8494b36294b1730e5997ba534e1845d |
| SHA256 | e295955bbc3a2d110224471c8ca589b64ddef0b81867f3eee16e0e163f2753a9 |
| SHA512 | 81e2a9f7cb06721281e7e071d797bd62a0e72a15fb3ba07f7f5eaf0557fbc321853aa0fde2b626f478663112bcfe792065e9020e172c9fe0b3c74e22a7836a96 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/3000-56-0x0000000000400000-0x0000000000596000-memory.dmp
memory/3000-58-0x0000000000400000-0x0000000000596000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 20:39
Reported
2024-08-13 20:41
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\semua.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qolyzu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\semua.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qolyzu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kijyi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qolyzu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kijyi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\semua.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\semua.exe
"C:\Users\Admin\AppData\Local\Temp\semua.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qolyzu.exe
"C:\Users\Admin\AppData\Local\Temp\qolyzu.exe" OK
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\kijyi.exe
"C:\Users\Admin\AppData\Local\Temp\kijyi.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 39.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3064-0-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\semua.exe
| MD5 | e2c1898a8d680a3e18bad3120c25a507 |
| SHA1 | de2b028a9558a41d8ca8a26c4657b96770d4a053 |
| SHA256 | d4dcf38cb6851a12aa027decafc8da8ad0deb559768cfe2a985dbe429924a9b1 |
| SHA512 | c10c76b980fddf1ed8f7c2cfa0241e6064d12aef1a88dccb779e5fcb4cf49474e4a28a0f7a68059dbd1b90008083dc5bb2c1c871fd4b457e68bb73a507060fda |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 471bcd998acc861db1d29ab6a3633a29 |
| SHA1 | 289f7d02c68a008562baaff3052c7ed947865135 |
| SHA256 | dc5458ff94f32ccdf1dc9b39f1cb065f5558a7fa445027c83801960a903ff1de |
| SHA512 | 7a89b9cc0f98a0163970a0dd9c9dcfc4df8961b694b33650378a585519d30194c7beeda056b9b5a80790e6568e14f944eea69699b052ba692440b9b74b819645 |
memory/5100-13-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/3064-15-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | eb5116da67b4a0a0e5524e6459599ff3 |
| SHA1 | a01962783f3aa9fc6e68b54f3e079c881e65cf41 |
| SHA256 | ecef4e8b2af9b1e9aa5b4a7b9cf306379176188e70021a1f19f70a72b5859e61 |
| SHA512 | 8dc986f4aa2a7642d0624fe6cf09d404ffbe3fcebe7be8dc1705895100a31348bcb42da08bc5b3309a61b8f8afb083d384999d3ef84daab4e7be12447b7acf42 |
memory/1036-25-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/5100-26-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/1036-27-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kijyi.exe
| MD5 | 2af0fd8ec82c79b7ceccac278cdff6f8 |
| SHA1 | 13138b659de9b84e11186083aff8604ee95e2ef7 |
| SHA256 | 48d3ee4235f39121c3fb5c1749444074779bd427b4855b004f6b77560105eb06 |
| SHA512 | c92da4ce4af30a9da8982b10414c12fb624ddafd5cdda7b5051e9bc5ab3884179b494f4f3b105c18eecc8ef862ea51b2f61a75b575b7e1df441caf9fcd392961 |
memory/2384-38-0x0000000000400000-0x0000000000596000-memory.dmp
memory/1036-41-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c37370c12cb26fd9045857f77cff0874 |
| SHA1 | 99e5b17747e266186e6bae1468cb543c71885617 |
| SHA256 | 41f590752d26120b2e7fafc8e6186a9d5f11654d6e3964c82148b8e7e141dd54 |
| SHA512 | 40c00a097219639bf8607bdaf3813500b4bc50db0d959e375f11f424dbcbae4fe021d226f53fa35d703ab0c4d82c7a81835b23348e20704a573182b226d917a1 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2384-44-0x0000000000400000-0x0000000000596000-memory.dmp
memory/2384-45-0x0000000000400000-0x0000000000596000-memory.dmp
memory/2384-47-0x0000000000400000-0x0000000000596000-memory.dmp
memory/2384-49-0x0000000000400000-0x0000000000596000-memory.dmp