Analysis Overview
SHA256
e9032e9260de7940d5abea753cd892b27d8339e5d5c43829321e62316382ff5d
Threat Level: Known bad
The file 2492bca42e7bf362df953d59e7f38518_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 19:53
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 19:53
Reported
2024-10-09 01:01
Platform
win7-20240903-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexyj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vujeve.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ejnin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexyj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexyj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vujeve.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vexyj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vujeve.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ejnin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vexyj.exe
"C:\Users\Admin\AppData\Local\Temp\vexyj.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\vujeve.exe
"C:\Users\Admin\AppData\Local\Temp\vujeve.exe" OK
C:\Users\Admin\AppData\Local\Temp\ejnin.exe
"C:\Users\Admin\AppData\Local\Temp\ejnin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2628-0-0x0000000000400000-0x00000000004679C5-memory.dmp
\Users\Admin\AppData\Local\Temp\vexyj.exe
| MD5 | e9bc69be954248cf820e93417ed4c5c7 |
| SHA1 | d9c7d383f15ca13436486a366d11e6b71ec1bbd3 |
| SHA256 | 80a0011c7911255d24bd8aa65ce2f4d4f77d2b37ca77d28fbc22179ea54995c2 |
| SHA512 | 0214fcaad5931a4fb72dc19f196e0a50fe43318682b0a00e390b4ffc6e150068e70767726b5c412ef23bb476b53951b41998ff4363cc0a16c83da82ca74fdb07 |
memory/2628-12-0x0000000002740000-0x00000000027A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 179a02a15d7c5304048322beed6259b7 |
| SHA1 | 2d2dd177ee6be5e1534fa4bee9bb7c2cb5dc9069 |
| SHA256 | 82bc7cf7badf621ea0fa2d34dc6ecbfb7b077718bb4100a9119729ba3d559888 |
| SHA512 | a34e43da59cadd80064301b074c4efc7590cb7a2a749bcdc93df6185153da3ba3435b53924dcfbee2c37fd0f5caf3230e63e99888b2ad6172570e2f7fcfe5c46 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 745227e5b597a6f06c5fe85710d86eda |
| SHA1 | fa7235abb51c12fe93bdfdc378b7dbbd1d641606 |
| SHA256 | 6fad6ef79e11d797c79122eddfa71f53411490071331481da5398d8a12064272 |
| SHA512 | dc1486768d1e80389c845c96c0f6b391ff8820dfcfea41cc8e4e8eb4c7699c89d56e76f874e710f95cf48acf7f089eb57c69e0c0dafb83e6e2f1fbe67841b7a9 |
memory/2668-14-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2628-25-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2628-10-0x0000000002740000-0x00000000027A8000-memory.dmp
\Users\Admin\AppData\Local\Temp\vujeve.exe
| MD5 | 59c0e41f27d2dc1cf399e67e8de017c0 |
| SHA1 | 086579427d97b441670870926277f793cc962b04 |
| SHA256 | 6e0d1f2a473d2c4059621b8fef7d97e43f772ce75088367ed7d223a891adb1fe |
| SHA512 | af0238bf7295b103f9dd1860c802b31f60319adb60db39715afd9abb239f6e6f692a80d446adf329e191d9301e15568b8d83ace2fa3ed6595a02d2012f39d6c0 |
memory/2668-35-0x0000000003770000-0x00000000037D8000-memory.dmp
memory/2668-34-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2556-37-0x0000000000400000-0x00000000004679C5-memory.dmp
\Users\Admin\AppData\Local\Temp\ejnin.exe
| MD5 | d8d98b8949d10ab7197a37250434c75b |
| SHA1 | 91f7639ca3d1378e58be24ac211adc956a90e1f0 |
| SHA256 | 5e2f40ad496c4784b07a8a3bf2c8f23a3b4bed409dd6f8999ff963476bd304cc |
| SHA512 | 596387892be80a9eee281cad083b7651e3e3f972f3eaadc51ce33e8569066164314f318c7307b9d5749710bf79c4fdd86b8b882250663d7c3dd271e26e41311c |
memory/2556-41-0x0000000003BA0000-0x0000000003C40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | efaad96b64adde2d78d2662eed8964a4 |
| SHA1 | e923a6e7ec631f3e6828f063424694ad77574266 |
| SHA256 | b497088f15ada38c263acdb0e39e597b18b38eeeffa89b77e765024739edf73b |
| SHA512 | c5cfbed4a3ef2a210d27dc6228a80983955999b27c0e71cc2287934c582545dd78dda0259c0a51eb7f0b315935be6305cdfa19be3bd06412f86665dd88f007e4 |
memory/2556-53-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2040-57-0x00000000008B0000-0x0000000000950000-memory.dmp
memory/2040-58-0x00000000008B0000-0x0000000000950000-memory.dmp
memory/2040-59-0x00000000008B0000-0x0000000000950000-memory.dmp
memory/2040-60-0x00000000008B0000-0x0000000000950000-memory.dmp
memory/2040-61-0x00000000008B0000-0x0000000000950000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 19:53
Reported
2024-10-09 00:59
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
97s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\lupad.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qoycys.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lupad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qoycys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\deqaw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lupad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qoycys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\deqaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2492bca42e7bf362df953d59e7f38518_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\lupad.exe
"C:\Users\Admin\AppData\Local\Temp\lupad.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qoycys.exe
"C:\Users\Admin\AppData\Local\Temp\qoycys.exe" OK
C:\Users\Admin\AppData\Local\Temp\deqaw.exe
"C:\Users\Admin\AppData\Local\Temp\deqaw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.190.18.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1756-0-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lupad.exe
| MD5 | c5fe0a451b1ba0f3a459a8e7383a0114 |
| SHA1 | 7cbbcde6779162a3c182ea9f50d99413692a6ea6 |
| SHA256 | 730aea2ac2fabc18bc4a45b1c68fcb1facc2d5f6d5eafb215a687a3e62acb7d9 |
| SHA512 | 700ef9466811515dd04fa68e255cdb72f0b3e1febbcab246f34642852aeddf1d558664c1e2b21a8697c503835b2e31988bb6ddc777ec63c6640ba44baee149bb |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b5d3ae0bd4790842c62429cf599b5619 |
| SHA1 | 12ce31c2b1a331d8120d5105dc1b790f22e8434d |
| SHA256 | f4bb8729327ceb5cf47d563578ad603225dd1a592b570ddde137ec084a9c7c04 |
| SHA512 | a954cb97e81875afef7e254d0b1f4113c5b6b825679394e4cb1703a6e18f92a135ab3f44044f9a3c9aa9ae2aa19f0a714ef87bd5bd419b6d8bbbab261fa2373a |
memory/2040-12-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1756-15-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 745227e5b597a6f06c5fe85710d86eda |
| SHA1 | fa7235abb51c12fe93bdfdc378b7dbbd1d641606 |
| SHA256 | 6fad6ef79e11d797c79122eddfa71f53411490071331481da5398d8a12064272 |
| SHA512 | dc1486768d1e80389c845c96c0f6b391ff8820dfcfea41cc8e4e8eb4c7699c89d56e76f874e710f95cf48acf7f089eb57c69e0c0dafb83e6e2f1fbe67841b7a9 |
C:\Users\Admin\AppData\Local\Temp\qoycys.exe
| MD5 | faa45369c71304d4ecc0c71a882852b2 |
| SHA1 | 79a5762e2daad1addb9ba5075db6c84ef5603bf3 |
| SHA256 | 32fd652efdc561cbfdaaa4066d00b1b2da56b3d9e246793b9fa68b813afdff1a |
| SHA512 | 2b4d56e7e07cd5874baffd266a2160c4471691348a08a860b8ed5984ef60e8a66c0bbbf2e7f543f3904323935f5db43034553105bcae2ee3f267263898c09f52 |
memory/2040-26-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/3280-25-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/3280-27-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\deqaw.exe
| MD5 | 607a67a73a0dc9315df35efa023cb6db |
| SHA1 | 66df7f6eb159ba997cefa26e3c72565d5fb15aa6 |
| SHA256 | a39bc5576dc35c71ee08dbb0f429a9b98c8cb2bd7b28977eb04e9b908a468d82 |
| SHA512 | b3358a02e003325a57c617afa92735a8dfc4f8ddeb3175ef90b17e6e1340a98a0584b90607362cd1a80f491fc7d31ddb9837e9ca4b51376fa0f2fde9fe67ef3f |
memory/1912-38-0x0000000000CA0000-0x0000000000D40000-memory.dmp
memory/3280-40-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 66e7f574016efe33f82761e959e08514 |
| SHA1 | 1e9e1627992c2b2be13a29f530a66ed7ca4b22c6 |
| SHA256 | 4ed5d942cbad208ce2e0125dfc20993f873e497975c64299152588fa2f60c8aa |
| SHA512 | 5a3cbdcb7536c10934fc9908010c3a5f03729f157b26e0939c01c1175a736c5d61aef1ab2bad22fc2d190fffc0218b2fe6613783663f383504b8880a34b096ae |
memory/1912-43-0x0000000000CA0000-0x0000000000D40000-memory.dmp
memory/1912-44-0x0000000000CA0000-0x0000000000D40000-memory.dmp
memory/1912-45-0x0000000000CA0000-0x0000000000D40000-memory.dmp
memory/1912-46-0x0000000000CA0000-0x0000000000D40000-memory.dmp
memory/1912-47-0x0000000000CA0000-0x0000000000D40000-memory.dmp