Analysis Overview
SHA256
0aca5e50f4865db31ce50fab7ff93c650561f452b89626206844057065774389
Threat Level: Known bad
The file 21f1711e0baa448b75f449c141e84a66_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 14:13
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 14:13
Reported
2024-10-08 19:46
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nuziv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gopox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nuziv.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gopox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nuziv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\gopox.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gopox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nuziv.exe
"C:\Users\Admin\AppData\Local\Temp\nuziv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\gopox.exe
"C:\Users\Admin\AppData\Local\Temp\gopox.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1076-0-0x0000000000D00000-0x0000000000DC9000-memory.dmp
\Users\Admin\AppData\Local\Temp\nuziv.exe
| MD5 | 32d5e7fd8bfb07f0b784bd5736a56d54 |
| SHA1 | f9d108f322396aa6ef3c306daa99e49a3fd76df7 |
| SHA256 | 64c0b367570e696287df7ecc08498d4c059216481656c64397372be4efe9009d |
| SHA512 | f3a8ecde9affe4d0a9a7d184fa7ab8b3b73fa38bc6dd08eee3525850af6a52c75651e19e560a983515568dd08d0d48447d4908fd41b340c4079905b525fd4a53 |
memory/2396-16-0x00000000012D0000-0x0000000001399000-memory.dmp
memory/1076-17-0x0000000000D00000-0x0000000000DC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | c12da5d78cf7ee9da4ef9d796eb4207f |
| SHA1 | 4a373fa0c6036513dc108e5e979bd1c153e79146 |
| SHA256 | ed31b47c72ff36297db4b977513fdd7236d9b8267b53116e205de16c6960aeb4 |
| SHA512 | d63a70dfc33a9fe954a0a468222b3a6143bec5e2293da8111b1a3f0add3cd41978fb0ccf5dcf5e12253673eed532c345e6420c6af2c4ae49d01c5cc48a96b45e |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d96d3c9d6b9650bdc137c7c9dbbba1dc |
| SHA1 | f25f911938d85250b81cf2164b8c8c7adf2e3998 |
| SHA256 | a06f2380f02aacf30a3cb57d542550a1e0d864af812ab28969ec9affd2b94b2c |
| SHA512 | 18da511ef0eb125912bda501469f3236e978607358df166b55cf6dd4d1b3aea5f8a42d745ab4a0a90c3ff08fba2b87422b64bd37ceee7bb1f1244f3b09fc98ca |
memory/2396-20-0x00000000012D0000-0x0000000001399000-memory.dmp
\Users\Admin\AppData\Local\Temp\gopox.exe
| MD5 | b24da554b735c2b14814e08f0fd86832 |
| SHA1 | c1874b4aecc0fc7cb23f0b72b21ba776fc9c0c3f |
| SHA256 | 8e8c23efaa9e2e736d5abc1820e173d57ce08ccbbd8a1ac61596d7f802c38ed3 |
| SHA512 | 33d30a349cc59752eb85f803b389e9e21e547418dab94dcd4395450e6de8fa0ffb9c4883fa91bfc24a71886fcb014ecf60e7ef4ef5dfbf72f082e8a34a35a1e0 |
memory/2396-25-0x0000000003650000-0x00000000036DF000-memory.dmp
memory/2396-28-0x00000000012D0000-0x0000000001399000-memory.dmp
memory/2932-29-0x0000000000400000-0x000000000048F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nuziv.exe
| MD5 | edd16ee470b6fb3e385c7414277afd5e |
| SHA1 | febbbdc87676b5262ba0aa4b933f6fba00e3c2f9 |
| SHA256 | 083d51e48806c605e3bdae7e7e78e44928e3b57bfb42e76446a37ce148f9e58b |
| SHA512 | 929e9543391f64e1602c073a889f1978ac8a9d121f97d67006939593db8153084574df58f302604a1dedc82f733917244d00e1779386d8fb4f6133ad33306af0 |
memory/2932-32-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2932-33-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2932-34-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2932-35-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2932-36-0x0000000000400000-0x000000000048F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 14:13
Reported
2024-10-08 19:43
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\pibus.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pibus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kuotk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pibus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kuotk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\kuotk.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kuotk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\pibus.exe
"C:\Users\Admin\AppData\Local\Temp\pibus.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kuotk.exe
"C:\Users\Admin\AppData\Local\Temp\kuotk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1184-0-0x0000000000D90000-0x0000000000E59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pibus.exe
| MD5 | ccf934ce5cbe0671e03c00f92daedc18 |
| SHA1 | 5f262d7f2aac23ee337b6704ae7c39c8334a6706 |
| SHA256 | 258c303e9b0f621a961dec11cd15a317fafaea093d36373472cccaa3f92c184a |
| SHA512 | 6168b0c9c0a0ca58ad6344152abf52f18fcf878e8767b6fecc3c8c9033498e9b89f87dc6eafc3d9684d298a982e2e52407417f2e28991514854a9bdb7bc5676a |
memory/5036-11-0x0000000000B70000-0x0000000000C39000-memory.dmp
memory/1184-14-0x0000000000D90000-0x0000000000E59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | c12da5d78cf7ee9da4ef9d796eb4207f |
| SHA1 | 4a373fa0c6036513dc108e5e979bd1c153e79146 |
| SHA256 | ed31b47c72ff36297db4b977513fdd7236d9b8267b53116e205de16c6960aeb4 |
| SHA512 | d63a70dfc33a9fe954a0a468222b3a6143bec5e2293da8111b1a3f0add3cd41978fb0ccf5dcf5e12253673eed532c345e6420c6af2c4ae49d01c5cc48a96b45e |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c5c9d52f5142d7f10444267fedeb9b3c |
| SHA1 | 06af4b4c1ccd79c9abedcb894114a6864f2cc0bf |
| SHA256 | a5e2be9fe168d3180c74785e955a226a945f5bb6ef5cb02ea0311eee5c0c9ebc |
| SHA512 | 2ae579443567af8d201efea779fcd2e92184c64ef18f7cf8f27414fe6881d6198a98a5707fb6ecff56e0400940bdfcd5575e89a40168791f6c9c396ceb5305e2 |
memory/5036-17-0x0000000000B70000-0x0000000000C39000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kuotk.exe
| MD5 | 854eb2084c5a13e81caaa618085fe716 |
| SHA1 | 22ca3c627f505eec45d5a85f5ec3bc76709c44ef |
| SHA256 | 883b4b2ad48c1163f18628e692bc3c931ee70d8ab1491a54793a85568140fe44 |
| SHA512 | 5218034f6c163cc1bacb0befe5ef3b2c04d97e759cd27adac5987b1a3815c724bfee6917ef533561b9882fdae40b1fbd31a9b23af8855225f9186b7f954fc8ac |
memory/3504-26-0x0000000000400000-0x000000000048F000-memory.dmp
memory/5036-27-0x0000000000B70000-0x0000000000C39000-memory.dmp
memory/3504-28-0x00000000020A0000-0x00000000020A2000-memory.dmp
memory/3504-31-0x00000000020A0000-0x00000000020A2000-memory.dmp
memory/3504-30-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3504-32-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3504-33-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3504-34-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3504-35-0x0000000000400000-0x000000000048F000-memory.dmp