Malware Analysis Report

2024-11-16 13:26

Sample ID 241007-p6ra1azfkd
Target 1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118
SHA256 15ae52a0e18c0322b76651f607b33670bed8288916be372872e49c7c61307a26
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15ae52a0e18c0322b76651f607b33670bed8288916be372872e49c7c61307a26

Threat Level: Known bad

The file 1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 12:56

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 12:56

Reported

2024-10-08 11:33

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.30.235:11120 tcp

Files

memory/2924-0-0x0000000000050000-0x00000000000D2000-memory.dmp

memory/2924-1-0x0000000000050000-0x00000000000D2000-memory.dmp

\Users\Admin\AppData\Local\Temp\sander.exe

MD5 0043cbb0dc4f9311a9cdf0218c6ed352
SHA1 aa0082508068f40058ea935226862a86b23a9b85
SHA256 be025bb5573bbbc526f5bd10358c20dade06e6e0bbaf610bf329bce3ee2cb996
SHA512 96f135b1a8a20a2065990a64c17fab00a3e124a1bf11698388b954ad90aba6badb56af3be366ec903deae8fa5cf60d32bc2ccd091b2d9339e86b76cf53636106

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 e419d1b7b0556822a224aa2bd4f7711e
SHA1 88344ccd5a10f11b58c96a06c2b1c65fa2f023f0
SHA256 3c22edd6ba119ccd7a66c073779893a7012339cf63d7f1f1b9dc6d06617b3a4d
SHA512 2eb0186481e2b11d6e0991b922363bdcec5b7e936cec95e51ec7323aae40cd5d48ebd929d6ea209e685fc426d1a9d7847e654e4c105c317ab7a8c47977f615be

memory/2144-19-0x0000000000050000-0x00000000000D2000-memory.dmp

memory/2924-18-0x0000000000050000-0x00000000000D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 145cec05d8d704ff7aa3d812b1aff628
SHA1 097ae09965ed3804359803708b8af87b5b90fcbb
SHA256 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea
SHA512 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

memory/2144-22-0x0000000000050000-0x00000000000D2000-memory.dmp

memory/2144-23-0x0000000000050000-0x00000000000D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 12:56

Reported

2024-10-07 12:59

Platform

win10v2004-20241007-en

Max time kernel

97s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1760-0-0x0000000000790000-0x0000000000812000-memory.dmp

memory/1760-1-0x0000000000790000-0x0000000000812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sander.exe

MD5 4949908de28fa222f51c26b59a35c881
SHA1 b62be5af41dfb1d1b91427de669164420c20dd03
SHA256 9231c53eeb5a0630a2624ded8b7767d993f956a39095518ec0b0ef0e6775e558
SHA512 ec57070be2e44c742f3ca30c6d034eea77fbf2d92f359707d47a3f419253caf1acaa3107996803d313da5381062b8223be1cb0aacd850ec1f4d820edec2078fd

memory/2088-14-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/2088-11-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/1760-16-0x0000000000790000-0x0000000000812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 e419d1b7b0556822a224aa2bd4f7711e
SHA1 88344ccd5a10f11b58c96a06c2b1c65fa2f023f0
SHA256 3c22edd6ba119ccd7a66c073779893a7012339cf63d7f1f1b9dc6d06617b3a4d
SHA512 2eb0186481e2b11d6e0991b922363bdcec5b7e936cec95e51ec7323aae40cd5d48ebd929d6ea209e685fc426d1a9d7847e654e4c105c317ab7a8c47977f615be

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 145cec05d8d704ff7aa3d812b1aff628
SHA1 097ae09965ed3804359803708b8af87b5b90fcbb
SHA256 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea
SHA512 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

memory/2088-19-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/2088-20-0x0000000000220000-0x00000000002A2000-memory.dmp