Malware Analysis Report

2024-11-16 13:26

Sample ID 241009-b9w4rs1bkr
Target 28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118
SHA256 fa62c82921437a25ffa76fcc1cb8fb6b1f36c264c3fed5b34020b1b4d06f0a68
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa62c82921437a25ffa76fcc1cb8fb6b1f36c264c3fed5b34020b1b4d06f0a68

Threat Level: Known bad

The file 28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 01:51

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 01:51

Reported

2024-10-09 09:21

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\poldge.exe

"C:\Users\Admin\AppData\Local\Temp\poldge.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.139:11120 tcp

Files

\Users\Admin\AppData\Local\Temp\poldge.exe

MD5 6f5d988a682791ce07f41efe43ff8342
SHA1 4e436af43a873cd5811a5d305c4135946aca4c6e
SHA256 2d4e8a4cd4237904da94dba162e3a58cf7847f4f83eebbe379d761f4fe79c7c3
SHA512 73479bde4f38ab45c52c498f4d7a1513510bbd13bd7f193853e0257886fa0b0e5591515ad6322ce21d7e1736bcc18429ae4de3e3b5128dd9f2135e5e68ed9440

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 ea9c81183deabfbdad368b25aab223ff
SHA1 1af5db1cf2fe8997e46ac8a8609473ace517fee3
SHA256 98c420cabe33830a0e0e2665029be913dcc38cfcc92d723cc5548f45d2580d1f
SHA512 70cbfb6160de92b2449cbef6f6cd61be0a15ccb34242ff5418e1df22046be2bd64f314e05f2ae4c7e3c82981fbe8daa3af459eda8ad7a5979d3dd305b21e8a8b

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 261cad3829355ee152989f4fd170f2bd
SHA1 c24ad48a91727956f875ea367fa4f8fc3a75ff6e
SHA256 7a3d979117a2eb33435467ab34963249935342a410ffaab2d8ab2aea01fb42bc
SHA512 e89026bad45abd189f5fd3bcbbfd8e46314c42b6c85e0dc36feefd7c3321f2b4f29549bef4c83d1bcb8c2a8e19ec21c01a1be26cf8e7602396520e06ebad85ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 01:51

Reported

2024-10-09 09:21

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\poldge.exe

"C:\Users\Admin\AppData\Local\Temp\poldge.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
KR 218.54.28.139:11120 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\poldge.exe

MD5 c16fba6758a2f11e2830dab50056b2e1
SHA1 c4aa893ca2821b46c81bd99cd890b5014602de03
SHA256 71035f0074d049de0100d4d943faf476d71582913772fa22f644b0f28f1de8fe
SHA512 4094ecb08108ac0d7f71632181137525869ac7e835e53116592da26ce223a1ff313ce98c8ffe57d4dbcafd6b5c2069a83f22c3b456fa15d0515616a6f007ced9

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 ea9c81183deabfbdad368b25aab223ff
SHA1 1af5db1cf2fe8997e46ac8a8609473ace517fee3
SHA256 98c420cabe33830a0e0e2665029be913dcc38cfcc92d723cc5548f45d2580d1f
SHA512 70cbfb6160de92b2449cbef6f6cd61be0a15ccb34242ff5418e1df22046be2bd64f314e05f2ae4c7e3c82981fbe8daa3af459eda8ad7a5979d3dd305b21e8a8b

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 261cad3829355ee152989f4fd170f2bd
SHA1 c24ad48a91727956f875ea367fa4f8fc3a75ff6e
SHA256 7a3d979117a2eb33435467ab34963249935342a410ffaab2d8ab2aea01fb42bc
SHA512 e89026bad45abd189f5fd3bcbbfd8e46314c42b6c85e0dc36feefd7c3321f2b4f29549bef4c83d1bcb8c2a8e19ec21c01a1be26cf8e7602396520e06ebad85ea