Analysis Overview
SHA256
e3e8018c7462d993d4c7265b879c5514f8feef8ee1da6ced8e45ec22c6242c11
Threat Level: Known bad
The file 1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 11:53
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 11:53
Reported
2024-10-08 11:22
Platform
win7-20240708-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wozax.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bekew.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wozax.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wozax.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bekew.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\bekew.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bekew.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\wozax.exe
"C:\Users\Admin\AppData\Local\Temp\wozax.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\bekew.exe
"C:\Users\Admin\AppData\Local\Temp\bekew.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1680-0-0x0000000000220000-0x00000000002E9000-memory.dmp
\Users\Admin\AppData\Local\Temp\wozax.exe
| MD5 | 49bc08fdb08ce5488256f78bb2c3132d |
| SHA1 | 2f1fcc3a4112b0b96e659aac5aa3f18544f1f912 |
| SHA256 | 200c0049c92ec3557b165e0f1ecaf4381d112febe66cb461dad92263b796bf3a |
| SHA512 | 3745c9813e14670a7b32f63b08ca3bb0d334ab4d183953649c74ea140c4bed56afed989f6399cf5f012e79b833f7fff83465f175cd7ecf4bd3f45ea8d3d019ee |
memory/1216-10-0x00000000002A0000-0x0000000000369000-memory.dmp
memory/1680-8-0x0000000002620000-0x00000000026E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3977506a4ee26db736f2405ff0a2cbd1 |
| SHA1 | eecb5066d3cabf44afa930a93a0ec9659885e6a4 |
| SHA256 | da769449401a5446cd799220f6a2dc8a7fb741d50cd2967d67139bfc2992e597 |
| SHA512 | 6c82a679e0f03daaa21844b0f90d65eabea65aa5919224f49f6f4acf3fea58cc1bc846b6f43309785c9aa364c31f47308f4d9ba4999824e2f9925cbd898091e0 |
memory/1680-18-0x0000000000220000-0x00000000002E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | bf85459bcd619676863f0ae7edae0bea |
| SHA1 | 6a71d25bbbca675595a1a5f6029318c2efdf1d50 |
| SHA256 | dd9b3ad44ba3112d0f29ae4dbbf8754c25c9ace3db46abdd7e641dacd2a5b0e2 |
| SHA512 | b7e46e1f57f0e4787d76f09902ebbe53793690870725a5ca58d58d402fe58ebae35bd948f738161de7268376c480bf642142d2c5da61b5b6df35f8f97594b35a |
memory/1216-21-0x00000000002A0000-0x0000000000369000-memory.dmp
\Users\Admin\AppData\Local\Temp\bekew.exe
| MD5 | fede500e040c2289c74bad66ff0fa366 |
| SHA1 | 3c5a65a5c0121f20ab47bee060fd651a47ed68af |
| SHA256 | a1a3338d59093a86e1ca2f10f455f37bf90f263b098e9b6bae65dc6499e35a8b |
| SHA512 | b936ff9fd1ed45cefeee7f1ef040e1aff777e0152110bcf779d1aaf31559c44fd8691d29d6e35a3ddd6a856629e248ffc51c2572ea078333980aea5763659b97 |
memory/1244-29-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1216-28-0x00000000002A0000-0x0000000000369000-memory.dmp
memory/1244-31-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1244-32-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1244-33-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1244-34-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1244-35-0x0000000000400000-0x000000000048F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 11:53
Reported
2024-10-07 11:56
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\niqay.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niqay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mydad.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\niqay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mydad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\mydad.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mydad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d4d3b79f65ee45b192366b8f82b96a6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\niqay.exe
"C:\Users\Admin\AppData\Local\Temp\niqay.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\mydad.exe
"C:\Users\Admin\AppData\Local\Temp\mydad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/1516-0-0x0000000000410000-0x00000000004D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\niqay.exe
| MD5 | 59a10c68789bb30c7be7a839fb7f80d2 |
| SHA1 | 618ae07d008b0be27110dc716604872ee2aa47db |
| SHA256 | a95b8ce38f46d52a1a2f74cf57075ed588076ae185fef7040e97de7b1b426760 |
| SHA512 | 8a64954988af02cf6b2abb90cd949253bb92b0483de1b3c1bab9b686d080a537cf0d6bb308041e213273d68ed4281a380bfee8fa5bbba244933d440249a4d7b1 |
memory/1468-10-0x0000000000340000-0x0000000000409000-memory.dmp
memory/1516-14-0x0000000000410000-0x00000000004D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3977506a4ee26db736f2405ff0a2cbd1 |
| SHA1 | eecb5066d3cabf44afa930a93a0ec9659885e6a4 |
| SHA256 | da769449401a5446cd799220f6a2dc8a7fb741d50cd2967d67139bfc2992e597 |
| SHA512 | 6c82a679e0f03daaa21844b0f90d65eabea65aa5919224f49f6f4acf3fea58cc1bc846b6f43309785c9aa364c31f47308f4d9ba4999824e2f9925cbd898091e0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1a5b382f1c5a4f1b3020790638b83765 |
| SHA1 | 70ec966b6a1155a73951ce8149cf6b926282076e |
| SHA256 | cb76c86e28cc6f0de8ce4dafda365a93773e3553ddc17cc1ecc128b9fb2e3e21 |
| SHA512 | c27fb0e55a5f18b654e6dd1da34e20a658cedcc826dc3713e553ec0cc269a91dcce8d3c7429ebd9a6ddff93905b933021a941c3de09196f227090277e412e8dc |
memory/1468-17-0x0000000000340000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mydad.exe
| MD5 | ef4f6c017f2fc76ee211de138e458898 |
| SHA1 | 1899c0582608958012b2d7c8a245a70e4418ad8a |
| SHA256 | 1f709d014a82fd8356e61fd0fee6b2b1e43692fa7c8747afdf190578d914aacb |
| SHA512 | ec1895687a6629014ee83e79268abf87448895aea90789f80632f333c33bd335498e9c5fe15aea55c7f69b0b015f1a6350752608d71b78208174fa76acd6e50f |
memory/3968-25-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1468-27-0x0000000000340000-0x0000000000409000-memory.dmp
memory/3968-28-0x00000000005B0000-0x00000000005B2000-memory.dmp
memory/3968-31-0x00000000005B0000-0x00000000005B2000-memory.dmp
memory/3968-30-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3968-32-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3968-33-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3968-34-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3968-35-0x0000000000400000-0x000000000048F000-memory.dmp