Malware Analysis Report

2024-11-16 13:26

Sample ID 241008-sqpc9awema
Target 223626e61dba14a75f6d85db8f4e930b_JaffaCakes118
SHA256 6dcd8f4a3634f232a6d49b5a4b81aee5967925fc9276dd40b0042fd52487992d
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dcd8f4a3634f232a6d49b5a4b81aee5967925fc9276dd40b0042fd52487992d

Threat Level: Known bad

The file 223626e61dba14a75f6d85db8f4e930b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 15:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 15:19

Reported

2024-10-08 20:22

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.144.22.2.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 140.190.18.2.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1828-0-0x0000000000550000-0x0000000000585000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 996e9e61efd222cdc45f7e9b26366b98
SHA1 83c939caabfd71c9f90f387ed5b39b8e22eb9bfb
SHA256 e5ca5a7ac24f4c7cb056568b12d9fd2a7960b7b7a7847e6f64569f1370685fe3
SHA512 b5e827b92fbabc18506e787cac560578932b11e4c429aacac871033ab23659c744dae68a205e91f0bd9d620d27144c012bff7d098b0080466b012e0a42b33ac9

memory/2244-10-0x0000000000940000-0x0000000000975000-memory.dmp

memory/1828-14-0x0000000000550000-0x0000000000585000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d7fb68bedbd9a51ba6910800c1867ef7
SHA1 b12cdf03c6f07f8f120ba9229c1e823df2871b7d
SHA256 9111818da0446f4a41d6a53fcd7a3c7d684264605e2530e1eaf8e400888b5326
SHA512 c1324f575ce5eddc3c06ad4dd3ed8cdd967583f4e36c06195f017240cc097b8f1ed8ae09bbbf97bd2a7a58b432d59b5435a1f995e51eb0a1057537adef315f31

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/2244-17-0x0000000000940000-0x0000000000975000-memory.dmp

memory/2244-19-0x0000000000940000-0x0000000000975000-memory.dmp

memory/2244-25-0x0000000000940000-0x0000000000975000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 15:19

Reported

2024-10-08 20:21

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2096-0-0x0000000000340000-0x0000000000375000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 c3f53f25f216b2ba9e633b9d6d09dc1e
SHA1 543c3d9762fb2acd1c374ccb1709b757b0d1ff56
SHA256 8d0eadc0d21f655ed86eec2c08d08345b00dc6100bcf3267e696b4c3934b453e
SHA512 4bb6b7ab57c2494ca4282f1ecaac3d2dcf9ca57f3525349ad2d2c477d3e638d0bdd0668a64e0b67c605463707543d189ce02cc8b55fb00f27682422244d96c5e

memory/1264-19-0x0000000000210000-0x0000000000245000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d7fb68bedbd9a51ba6910800c1867ef7
SHA1 b12cdf03c6f07f8f120ba9229c1e823df2871b7d
SHA256 9111818da0446f4a41d6a53fcd7a3c7d684264605e2530e1eaf8e400888b5326
SHA512 c1324f575ce5eddc3c06ad4dd3ed8cdd967583f4e36c06195f017240cc097b8f1ed8ae09bbbf97bd2a7a58b432d59b5435a1f995e51eb0a1057537adef315f31

memory/2096-8-0x0000000000670000-0x00000000006A5000-memory.dmp

memory/2096-18-0x0000000000340000-0x0000000000375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/1264-22-0x0000000000210000-0x0000000000245000-memory.dmp

memory/1264-24-0x0000000000210000-0x0000000000245000-memory.dmp

memory/1264-31-0x0000000000210000-0x0000000000245000-memory.dmp