Analysis Overview
SHA256
15ae52a0e18c0322b76651f607b33670bed8288916be372872e49c7c61307a26
Threat Level: Known bad
The file 1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 12:56
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 12:56
Reported
2024-10-08 11:33
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp |
Files
memory/2924-0-0x0000000000050000-0x00000000000D2000-memory.dmp
memory/2924-1-0x0000000000050000-0x00000000000D2000-memory.dmp
\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | 0043cbb0dc4f9311a9cdf0218c6ed352 |
| SHA1 | aa0082508068f40058ea935226862a86b23a9b85 |
| SHA256 | be025bb5573bbbc526f5bd10358c20dade06e6e0bbaf610bf329bce3ee2cb996 |
| SHA512 | 96f135b1a8a20a2065990a64c17fab00a3e124a1bf11698388b954ad90aba6badb56af3be366ec903deae8fa5cf60d32bc2ccd091b2d9339e86b76cf53636106 |
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | e419d1b7b0556822a224aa2bd4f7711e |
| SHA1 | 88344ccd5a10f11b58c96a06c2b1c65fa2f023f0 |
| SHA256 | 3c22edd6ba119ccd7a66c073779893a7012339cf63d7f1f1b9dc6d06617b3a4d |
| SHA512 | 2eb0186481e2b11d6e0991b922363bdcec5b7e936cec95e51ec7323aae40cd5d48ebd929d6ea209e685fc426d1a9d7847e654e4c105c317ab7a8c47977f615be |
memory/2144-19-0x0000000000050000-0x00000000000D2000-memory.dmp
memory/2924-18-0x0000000000050000-0x00000000000D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 145cec05d8d704ff7aa3d812b1aff628 |
| SHA1 | 097ae09965ed3804359803708b8af87b5b90fcbb |
| SHA256 | 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea |
| SHA512 | 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d |
memory/2144-22-0x0000000000050000-0x00000000000D2000-memory.dmp
memory/2144-23-0x0000000000050000-0x00000000000D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 12:56
Reported
2024-10-07 12:59
Platform
win10v2004-20241007-en
Max time kernel
97s
Max time network
122s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1760 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sander.exe |
| PID 1760 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sander.exe |
| PID 1760 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sander.exe |
| PID 1760 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1760 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1760 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d8fc91d0e2154fa3f505066acc51328_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1760-0-0x0000000000790000-0x0000000000812000-memory.dmp
memory/1760-1-0x0000000000790000-0x0000000000812000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | 4949908de28fa222f51c26b59a35c881 |
| SHA1 | b62be5af41dfb1d1b91427de669164420c20dd03 |
| SHA256 | 9231c53eeb5a0630a2624ded8b7767d993f956a39095518ec0b0ef0e6775e558 |
| SHA512 | ec57070be2e44c742f3ca30c6d034eea77fbf2d92f359707d47a3f419253caf1acaa3107996803d313da5381062b8223be1cb0aacd850ec1f4d820edec2078fd |
memory/2088-14-0x0000000000220000-0x00000000002A2000-memory.dmp
memory/2088-11-0x0000000000220000-0x00000000002A2000-memory.dmp
memory/1760-16-0x0000000000790000-0x0000000000812000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | e419d1b7b0556822a224aa2bd4f7711e |
| SHA1 | 88344ccd5a10f11b58c96a06c2b1c65fa2f023f0 |
| SHA256 | 3c22edd6ba119ccd7a66c073779893a7012339cf63d7f1f1b9dc6d06617b3a4d |
| SHA512 | 2eb0186481e2b11d6e0991b922363bdcec5b7e936cec95e51ec7323aae40cd5d48ebd929d6ea209e685fc426d1a9d7847e654e4c105c317ab7a8c47977f615be |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 145cec05d8d704ff7aa3d812b1aff628 |
| SHA1 | 097ae09965ed3804359803708b8af87b5b90fcbb |
| SHA256 | 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea |
| SHA512 | 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d |
memory/2088-19-0x0000000000220000-0x00000000002A2000-memory.dmp
memory/2088-20-0x0000000000220000-0x00000000002A2000-memory.dmp