Malware Analysis Report

2024-11-16 13:26

Sample ID 241008-nbfqcathkm
Target 213a593fdecdbc529a44c54138e1d25e_JaffaCakes118
SHA256 148d7a4428f4536d13e6853048bb4d1f36bc0dc562bcabb70a508754bca49148
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

148d7a4428f4536d13e6853048bb4d1f36bc0dc562bcabb70a508754bca49148

Threat Level: Known bad

The file 213a593fdecdbc529a44c54138e1d25e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 11:13

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 11:13

Reported

2024-10-08 18:05

Platform

win7-20240903-en

Max time kernel

68s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.30.235:11120 tcp

Files

memory/280-0-0x00000000003D0000-0x0000000000452000-memory.dmp

\Users\Admin\AppData\Local\Temp\sander.exe

MD5 406cdd95444dae7aad98a5aa19f89a85
SHA1 b3937b9237a608e767b8b457b1430f7f93d6d3b6
SHA256 6d90eedcd7868465cc8cb128e1faea292de143b11d0f1e70d9fdf8e6686b28db
SHA512 027cc13d1b8713c26a14b57729300254859267f74dc426105a9e9c7d1c84d8f84c62eefa06ad46e414ece52154e6f438751c879ec8a61c28c456b317f103777a

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 aa576a6a5aaac4a683431043bc2a07bc
SHA1 72628745a91dc28f895f9df469b558a395cd07a6
SHA256 1db89a6ad90af3ef0cc3e45b3df9d8d7f990dd02050c6d23937308b398a0b357
SHA512 ae9ef7cce9f4ba0973b320f42d4bd071572df303a69f348010b006d57c61131aaa5d63eee3921a52958cb89c8cde5c9a63c559d095e67d49c5e7254418877929

memory/2428-11-0x0000000000A50000-0x0000000000AD2000-memory.dmp

memory/280-10-0x00000000022E0000-0x0000000002362000-memory.dmp

memory/280-18-0x00000000003D0000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 145cec05d8d704ff7aa3d812b1aff628
SHA1 097ae09965ed3804359803708b8af87b5b90fcbb
SHA256 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea
SHA512 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

memory/2428-21-0x0000000000A50000-0x0000000000AD2000-memory.dmp

memory/2428-22-0x0000000000A50000-0x0000000000AD2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 11:13

Reported

2024-10-08 18:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp

Files

memory/2072-0-0x00000000003E0000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sander.exe

MD5 b3150bb7cfd25d07f475f01ac2e79d8b
SHA1 f0de769cc0f01b8ee62f5c078f8280bb259eee44
SHA256 d05e4699cca7144992e0e6b2f4e17e5099587ed709f157875a99eaeba21e44be
SHA512 6946ed6e58c71780ed07c5742dde10c16998dc486ac1418fc258ee82500c0a007429e684d12a3b7df138ea263459b6823cd0bcfbb20cd9669d3f8ef044528970

memory/4752-10-0x0000000000CE0000-0x0000000000D62000-memory.dmp

memory/2072-14-0x00000000003E0000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 aa576a6a5aaac4a683431043bc2a07bc
SHA1 72628745a91dc28f895f9df469b558a395cd07a6
SHA256 1db89a6ad90af3ef0cc3e45b3df9d8d7f990dd02050c6d23937308b398a0b357
SHA512 ae9ef7cce9f4ba0973b320f42d4bd071572df303a69f348010b006d57c61131aaa5d63eee3921a52958cb89c8cde5c9a63c559d095e67d49c5e7254418877929

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 145cec05d8d704ff7aa3d812b1aff628
SHA1 097ae09965ed3804359803708b8af87b5b90fcbb
SHA256 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea
SHA512 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

memory/4752-17-0x0000000000CE0000-0x0000000000D62000-memory.dmp

memory/4752-18-0x0000000000CE0000-0x0000000000D62000-memory.dmp