Analysis Overview
SHA256
148d7a4428f4536d13e6853048bb4d1f36bc0dc562bcabb70a508754bca49148
Threat Level: Known bad
The file 213a593fdecdbc529a44c54138e1d25e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 11:13
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 11:13
Reported
2024-10-08 18:05
Platform
win7-20240903-en
Max time kernel
68s
Max time network
62s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp |
Files
memory/280-0-0x00000000003D0000-0x0000000000452000-memory.dmp
\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | 406cdd95444dae7aad98a5aa19f89a85 |
| SHA1 | b3937b9237a608e767b8b457b1430f7f93d6d3b6 |
| SHA256 | 6d90eedcd7868465cc8cb128e1faea292de143b11d0f1e70d9fdf8e6686b28db |
| SHA512 | 027cc13d1b8713c26a14b57729300254859267f74dc426105a9e9c7d1c84d8f84c62eefa06ad46e414ece52154e6f438751c879ec8a61c28c456b317f103777a |
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | aa576a6a5aaac4a683431043bc2a07bc |
| SHA1 | 72628745a91dc28f895f9df469b558a395cd07a6 |
| SHA256 | 1db89a6ad90af3ef0cc3e45b3df9d8d7f990dd02050c6d23937308b398a0b357 |
| SHA512 | ae9ef7cce9f4ba0973b320f42d4bd071572df303a69f348010b006d57c61131aaa5d63eee3921a52958cb89c8cde5c9a63c559d095e67d49c5e7254418877929 |
memory/2428-11-0x0000000000A50000-0x0000000000AD2000-memory.dmp
memory/280-10-0x00000000022E0000-0x0000000002362000-memory.dmp
memory/280-18-0x00000000003D0000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 145cec05d8d704ff7aa3d812b1aff628 |
| SHA1 | 097ae09965ed3804359803708b8af87b5b90fcbb |
| SHA256 | 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea |
| SHA512 | 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d |
memory/2428-21-0x0000000000A50000-0x0000000000AD2000-memory.dmp
memory/2428-22-0x0000000000A50000-0x0000000000AD2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 11:13
Reported
2024-10-08 18:05
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sander.exe |
| PID 2072 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sander.exe |
| PID 2072 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sander.exe |
| PID 2072 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2072 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2072 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\213a593fdecdbc529a44c54138e1d25e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
Files
memory/2072-0-0x00000000003E0000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | b3150bb7cfd25d07f475f01ac2e79d8b |
| SHA1 | f0de769cc0f01b8ee62f5c078f8280bb259eee44 |
| SHA256 | d05e4699cca7144992e0e6b2f4e17e5099587ed709f157875a99eaeba21e44be |
| SHA512 | 6946ed6e58c71780ed07c5742dde10c16998dc486ac1418fc258ee82500c0a007429e684d12a3b7df138ea263459b6823cd0bcfbb20cd9669d3f8ef044528970 |
memory/4752-10-0x0000000000CE0000-0x0000000000D62000-memory.dmp
memory/2072-14-0x00000000003E0000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | aa576a6a5aaac4a683431043bc2a07bc |
| SHA1 | 72628745a91dc28f895f9df469b558a395cd07a6 |
| SHA256 | 1db89a6ad90af3ef0cc3e45b3df9d8d7f990dd02050c6d23937308b398a0b357 |
| SHA512 | ae9ef7cce9f4ba0973b320f42d4bd071572df303a69f348010b006d57c61131aaa5d63eee3921a52958cb89c8cde5c9a63c559d095e67d49c5e7254418877929 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 145cec05d8d704ff7aa3d812b1aff628 |
| SHA1 | 097ae09965ed3804359803708b8af87b5b90fcbb |
| SHA256 | 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea |
| SHA512 | 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d |
memory/4752-17-0x0000000000CE0000-0x0000000000D62000-memory.dmp
memory/4752-18-0x0000000000CE0000-0x0000000000D62000-memory.dmp