Analysis Overview
SHA256
6dcd8f4a3634f232a6d49b5a4b81aee5967925fc9276dd40b0042fd52487992d
Threat Level: Known bad
The file 223626e61dba14a75f6d85db8f4e930b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 15:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 15:19
Reported
2024-10-08 20:22
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
98s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1828 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1828 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1828 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1828 wrote to memory of 184 | N/A | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1828 wrote to memory of 184 | N/A | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1828 wrote to memory of 184 | N/A | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.144.22.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 140.190.18.2.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1828-0-0x0000000000550000-0x0000000000585000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 996e9e61efd222cdc45f7e9b26366b98 |
| SHA1 | 83c939caabfd71c9f90f387ed5b39b8e22eb9bfb |
| SHA256 | e5ca5a7ac24f4c7cb056568b12d9fd2a7960b7b7a7847e6f64569f1370685fe3 |
| SHA512 | b5e827b92fbabc18506e787cac560578932b11e4c429aacac871033ab23659c744dae68a205e91f0bd9d620d27144c012bff7d098b0080466b012e0a42b33ac9 |
memory/2244-10-0x0000000000940000-0x0000000000975000-memory.dmp
memory/1828-14-0x0000000000550000-0x0000000000585000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d7fb68bedbd9a51ba6910800c1867ef7 |
| SHA1 | b12cdf03c6f07f8f120ba9229c1e823df2871b7d |
| SHA256 | 9111818da0446f4a41d6a53fcd7a3c7d684264605e2530e1eaf8e400888b5326 |
| SHA512 | c1324f575ce5eddc3c06ad4dd3ed8cdd967583f4e36c06195f017240cc097b8f1ed8ae09bbbf97bd2a7a58b432d59b5435a1f995e51eb0a1057537adef315f31 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55e10a9af74d3f3fa5ae3cb7ff5ad9d4 |
| SHA1 | 449221fd8d7196a54de2bd583625d8d1b64db56a |
| SHA256 | a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1 |
| SHA512 | 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a |
memory/2244-17-0x0000000000940000-0x0000000000975000-memory.dmp
memory/2244-19-0x0000000000940000-0x0000000000975000-memory.dmp
memory/2244-25-0x0000000000940000-0x0000000000975000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 15:19
Reported
2024-10-08 20:21
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\223626e61dba14a75f6d85db8f4e930b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2096-0-0x0000000000340000-0x0000000000375000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | c3f53f25f216b2ba9e633b9d6d09dc1e |
| SHA1 | 543c3d9762fb2acd1c374ccb1709b757b0d1ff56 |
| SHA256 | 8d0eadc0d21f655ed86eec2c08d08345b00dc6100bcf3267e696b4c3934b453e |
| SHA512 | 4bb6b7ab57c2494ca4282f1ecaac3d2dcf9ca57f3525349ad2d2c477d3e638d0bdd0668a64e0b67c605463707543d189ce02cc8b55fb00f27682422244d96c5e |
memory/1264-19-0x0000000000210000-0x0000000000245000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d7fb68bedbd9a51ba6910800c1867ef7 |
| SHA1 | b12cdf03c6f07f8f120ba9229c1e823df2871b7d |
| SHA256 | 9111818da0446f4a41d6a53fcd7a3c7d684264605e2530e1eaf8e400888b5326 |
| SHA512 | c1324f575ce5eddc3c06ad4dd3ed8cdd967583f4e36c06195f017240cc097b8f1ed8ae09bbbf97bd2a7a58b432d59b5435a1f995e51eb0a1057537adef315f31 |
memory/2096-8-0x0000000000670000-0x00000000006A5000-memory.dmp
memory/2096-18-0x0000000000340000-0x0000000000375000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55e10a9af74d3f3fa5ae3cb7ff5ad9d4 |
| SHA1 | 449221fd8d7196a54de2bd583625d8d1b64db56a |
| SHA256 | a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1 |
| SHA512 | 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a |
memory/1264-22-0x0000000000210000-0x0000000000245000-memory.dmp
memory/1264-24-0x0000000000210000-0x0000000000245000-memory.dmp
memory/1264-31-0x0000000000210000-0x0000000000245000-memory.dmp