Analysis Overview
SHA256
9354f803190e48bd89e89d957af03931624af553fecaad1f7842e7f60ed3067e
Threat Level: Known bad
The file 26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Deletes itself
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 22:51
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 22:51
Reported
2024-10-09 05:37
Platform
win7-20240729-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\copok.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kysih.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\copok.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\copok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kysih.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\copok.exe
"C:\Users\Admin\AppData\Local\Temp\copok.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kysih.exe
"C:\Users\Admin\AppData\Local\Temp\kysih.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2112-0-0x0000000000400000-0x000000000048C000-memory.dmp
memory/880-17-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2112-18-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2112-15-0x00000000025B0000-0x000000000263C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 332a68768fe095b2fffdc4c926a228cd |
| SHA1 | ddb249b82ecb5978e5383203cbb3be8fa03c75dd |
| SHA256 | 38f0b3e05eb5dbf428a0667abde18e1f8c256926bfa1f837ef9fe5657145eabd |
| SHA512 | ddc29c16a27f3a37c8705184d16e4aec239e20ad01f8aed6f14480ed6cf04ad5861595a142754baba7a84f7958d112027ee23e14ded67d62e4f94b28cb9fe8c7 |
C:\Users\Admin\AppData\Local\Temp\copok.exe
| MD5 | cf47e16ba96425330adcf5858ba427ab |
| SHA1 | 13286981c8a3434b7ed4ec8b892650246d42f456 |
| SHA256 | 2b7658c4fad388aa6db914a95c20b383bb6e6d42b460369a953ab771208b59d3 |
| SHA512 | 78a5d95e8eae15f489630cac904f3be6b068ab40514cc092892a11bf02fc6c4570ecbc96d2357d83782419c856a6be7bc86429d1e6808c4ea01369d1e0857afd |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b27d3573146b4936d7ff7c050192352f |
| SHA1 | 097439ea31941465054014bda686ca08799d468f |
| SHA256 | eb74baa7fd5f61e878904d3b184f3c76750bc2ff8bedae45e4ae6918ee8d52de |
| SHA512 | 6f8c7454b817a516ed906034820c639e5b4a6ae8d77d497a11a7850e3bcd5615829d4445e9b4ad4130f6a92c206fb52a65e2a656bfa7bc5c54fe07eb7b8075ca |
memory/880-21-0x0000000000400000-0x000000000048C000-memory.dmp
\Users\Admin\AppData\Local\Temp\kysih.exe
| MD5 | 627861d00f1adfccc8fea5758a69dea6 |
| SHA1 | a6c4336a15d46df6b39df087b98d6c5e48faf2b2 |
| SHA256 | 724a9d36764a9adbe4de0e845add5f89b1d5732ec2ffbd4b72398da74c369a0a |
| SHA512 | 3c25172c5dc0cf45e1833d24c3ffcaf8e019bca711ee3fdb26e9b4ead4d824077aa865001b9c4e1264a65391df295c7340334035317e7c7929526400ac2fce4e |
memory/1820-29-0x0000000000F00000-0x0000000000FA3000-memory.dmp
memory/880-30-0x0000000000400000-0x000000000048C000-memory.dmp
memory/880-28-0x00000000032B0000-0x0000000003353000-memory.dmp
memory/1820-32-0x0000000000F00000-0x0000000000FA3000-memory.dmp
memory/1820-33-0x0000000000F00000-0x0000000000FA3000-memory.dmp
memory/1820-34-0x0000000000F00000-0x0000000000FA3000-memory.dmp
memory/1820-35-0x0000000000F00000-0x0000000000FA3000-memory.dmp
memory/1820-36-0x0000000000F00000-0x0000000000FA3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 22:51
Reported
2024-10-09 05:37
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
99s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hoqui.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hoqui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\leqij.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\leqij.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hoqui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26a65f657c46bd516d1f4990d900d9b9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\hoqui.exe
"C:\Users\Admin\AppData\Local\Temp\hoqui.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\leqij.exe
"C:\Users\Admin\AppData\Local\Temp\leqij.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4996-0-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hoqui.exe
| MD5 | 7e1062d1aa4473d29de04d0a67c0deaf |
| SHA1 | c42b934f8af14f641c41e23cb0dace13799ebf42 |
| SHA256 | cf86751c21aff993f977a68034fdcc08c4d1516b6d6e0ee091ea955e62039c1a |
| SHA512 | 4a8e58869738d0dbab6ba532f9e50a754611c921aa4fc93a840d91ec0ff037cb9ecb1b860b667b0e36a3856cdb670779c017f42d291bf726dcd21e5565b92587 |
memory/4996-13-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 332a68768fe095b2fffdc4c926a228cd |
| SHA1 | ddb249b82ecb5978e5383203cbb3be8fa03c75dd |
| SHA256 | 38f0b3e05eb5dbf428a0667abde18e1f8c256926bfa1f837ef9fe5657145eabd |
| SHA512 | ddc29c16a27f3a37c8705184d16e4aec239e20ad01f8aed6f14480ed6cf04ad5861595a142754baba7a84f7958d112027ee23e14ded67d62e4f94b28cb9fe8c7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9f319e4489f79a54816b3e21f2aa5132 |
| SHA1 | f1f14a6a9e8803e45585cf0252ed301ab203608a |
| SHA256 | 652afba4f58ac1a9e521c131a515175e7504bf036da00d39758fb53b4110ef74 |
| SHA512 | 3c8264637fd9958f4c2f317d39897e6ae5edfd3672d220713eb2df90d6bfb20809c70959a9687b9d4a04fea741bfe964c96f20d2a344c81374f85340be92dd2a |
memory/2500-16-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\leqij.exe
| MD5 | 9cdf5f373d2d2664036a3291ca777f98 |
| SHA1 | 2bfd11f3c4213cc60069e8f05b0fd6193746fd95 |
| SHA256 | e9c756efcf92c5aace4fc50ef31ed1e45abe8e4a9f5aee62bca0213b15c8e267 |
| SHA512 | 1a378759e5636143b37543ca32953cf1217cc5ab84ac5b4c0519b0edc66c686756dda2528311601219dcbc55fcc1e32dc1443bcde448ba29682ed2b0a112cddf |
memory/4984-24-0x00000000005F0000-0x0000000000693000-memory.dmp
memory/2500-26-0x0000000000400000-0x000000000048C000-memory.dmp
memory/4984-27-0x00000000012F0000-0x00000000012F1000-memory.dmp
memory/4984-29-0x00000000005F0000-0x0000000000693000-memory.dmp
memory/4984-30-0x00000000005F0000-0x0000000000693000-memory.dmp
memory/4984-31-0x00000000005F0000-0x0000000000693000-memory.dmp
memory/4984-32-0x00000000005F0000-0x0000000000693000-memory.dmp
memory/4984-33-0x00000000005F0000-0x0000000000693000-memory.dmp