Analysis Overview
SHA256
a24c0426d17c33cbc4a2eafe5dfb4bd2acb6c0453e977d103f628dbd87250489
Threat Level: Known bad
The file 27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 00:36
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 00:36
Reported
2024-10-09 07:57
Platform
win7-20240903-en
Max time kernel
147s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idpus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suxery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idpus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idpus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suxery.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\idpus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\suxery.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibcye.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\idpus.exe
"C:\Users\Admin\AppData\Local\Temp\idpus.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\suxery.exe
"C:\Users\Admin\AppData\Local\Temp\suxery.exe" OK
C:\Users\Admin\AppData\Local\Temp\ibcye.exe
"C:\Users\Admin\AppData\Local\Temp\ibcye.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/3004-0-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/3004-19-0x0000000002530000-0x00000000025E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\idpus.exe
| MD5 | 415e1bdb65c239cb50e30fb4e26babd1 |
| SHA1 | 14c4ae26108ff64d0260fd4ba9a04443304bb740 |
| SHA256 | d1ae8881f8c8f6d444c655d36decb6313045ebcdc3023806d07e918253f71e87 |
| SHA512 | 848ce3b1c2affe80a67123d78cfb66f2a9e48c350197d792a6d62fdefca56868bf1b204c0565dfe42b15aa07f90942bde6c28c85412f6d1b5cf730f39b5e742f |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 72aa06dd6620260a26cf3461beaf6250 |
| SHA1 | 0d8cc3e085b98f3489dcb64db26574b31413f5d0 |
| SHA256 | 1f4aded6424c61a4c6916c2bd61b75e3bfb370fa6cc38255af89267eb6096062 |
| SHA512 | aa80f75bc4fcca89d57cdb076833cab38d37789959cb4cd954bce332037ba41fc377fcfa3231c3468a2a074ad87232947916f885422dd5aea1cfdee16532c7ca |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | d6fcdce42ff49e264a9ed290dceb6ae7 |
| SHA1 | 55bd849351d5a4f544cef518e3af7891add797ac |
| SHA256 | 27257fb061139304b960568eb5d65e208e7aafe8e287b4af352d38366cd27ff4 |
| SHA512 | 3059cbed127232f4609d4484ece1015224bdf025e3cb1a3cbefed6489dc993fec49174b0114f51e4940073cf1ea493794e5fb3e89e29a794c92b247087c63365 |
memory/3004-20-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/1732-32-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/1732-31-0x0000000003610000-0x00000000036C3000-memory.dmp
memory/1832-35-0x0000000000400000-0x00000000004B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\ibcye.exe
| MD5 | 33521573a7138df6b5b1b91214f93b4d |
| SHA1 | 8d2b6c67f72e197f35df33bcd02afdd5df8bed31 |
| SHA256 | 436efcf380ee051f1bd36abfe216840b161c84fb5f4b843a2e402cd050793dbf |
| SHA512 | b8ac8b94207bab1158e3358f342740791b8724761a3b14deddaa906e2291a639fef76eae8298bb6fe76fba9645f2d413cb26a4cae5c8f0c7734f182dc433d15e |
memory/1832-43-0x0000000003AE0000-0x0000000003C76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 4a147dc263fba50d8d6d12dfc077ec0b |
| SHA1 | 1bd8f4476344199810649d344655674522fb20e8 |
| SHA256 | aa3dfdaaf1a6298d99b453e2c414e644a02ccb76f95d0f1d24d39920420e0111 |
| SHA512 | 929329742b2c33259d5bbd7258d85deedfd09331a2d384fe37b8a418bcf51f2f1e9df9e9f23e01f6e1597dbb340a5d5e919a1f98947225d6b3df478d562a6f4d |
memory/1832-53-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2652-45-0x0000000000400000-0x0000000000596000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2652-57-0x0000000000400000-0x0000000000596000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 00:36
Reported
2024-10-09 07:57
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
98s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ipdovy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kurel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kurel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ipdovy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tisyc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kurel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ipdovy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tisyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27d524b5c4969858886b8652c2fc9e1d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\kurel.exe
"C:\Users\Admin\AppData\Local\Temp\kurel.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ipdovy.exe
"C:\Users\Admin\AppData\Local\Temp\ipdovy.exe" OK
C:\Users\Admin\AppData\Local\Temp\tisyc.exe
"C:\Users\Admin\AppData\Local\Temp\tisyc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1376-0-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kurel.exe
| MD5 | 65a841005a178786c31e2902a2c00e10 |
| SHA1 | 7cdb41683c205dc991ab12987b5387200c3858de |
| SHA256 | 7b6d44e12d3f3a665e101d4c1cbcf60eb006c6542085969df4a7d2d1e6fa3307 |
| SHA512 | a7b3b677ee2207b57ee2e404de5321ce1218c7f8f8c95a921444072b75fc927180db71f3dff6fb2cb7ba7201074447f01edd2f8b39a3a742b81a6ce70989c5f2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b269d51f1bc6065b1076cf3d73b01a42 |
| SHA1 | 3e497a6c6b209b9deb9e6e33c029989e23261ca1 |
| SHA256 | e4150d6b2d4fafab76bc1e03b45b155b4a072682ac18cd45d44c342956cceed1 |
| SHA512 | 27e82a89e11502ea9267a16d29c2ed031c11aa7117b849268dba3f76a3c933f936e29056401982f94dfe554a7f08b0cf67d7dfda58499382dd19c0e72a716910 |
memory/1376-15-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | d6fcdce42ff49e264a9ed290dceb6ae7 |
| SHA1 | 55bd849351d5a4f544cef518e3af7891add797ac |
| SHA256 | 27257fb061139304b960568eb5d65e208e7aafe8e287b4af352d38366cd27ff4 |
| SHA512 | 3059cbed127232f4609d4484ece1015224bdf025e3cb1a3cbefed6489dc993fec49174b0114f51e4940073cf1ea493794e5fb3e89e29a794c92b247087c63365 |
memory/4972-23-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/3668-25-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tisyc.exe
| MD5 | 80cd39c7c20c59d7dd205ec6a3bb401f |
| SHA1 | 081d8b02fc7f0e08d8c87a3a2bda10939f0809b4 |
| SHA256 | 204a9cf1d005465b27c39de086699966a744a02b644062b106910733ce060d67 |
| SHA512 | 6e2e658f7df3286fbaf9921a83e7066baaed851e3e28e2c266b20a7a64d62edb4b190321345a157c1c08f90030d7ff77581bccd4a2fd5c0597508f624dc38fb4 |
memory/364-37-0x0000000000400000-0x0000000000596000-memory.dmp
memory/3668-39-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | dd7e8ce8e7a65a4ba78af8ce8fc22782 |
| SHA1 | 281e99c13a27424bad3fc61ac7ce7fc1681d6643 |
| SHA256 | 27fa74e30baba968c8d2113726e8f8670039153dfbdfc4bb928899e4658d64c7 |
| SHA512 | 3cc3c440d530f224d706911ee883768685f1f1c281ba1190abf291b4768f72e0cbd73bb6da35bea0e382d3fb6e13fa12af7a7779e8fd281f79d72e5b3db0a071 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/364-42-0x0000000000400000-0x0000000000596000-memory.dmp