Analysis Overview
SHA256
fa62c82921437a25ffa76fcc1cb8fb6b1f36c264c3fed5b34020b1b4d06f0a68
Threat Level: Known bad
The file 28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 01:51
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 01:51
Reported
2024-10-09 09:21
Platform
win7-20240708-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.139:11120 | tcp |
Files
\Users\Admin\AppData\Local\Temp\poldge.exe
| MD5 | 6f5d988a682791ce07f41efe43ff8342 |
| SHA1 | 4e436af43a873cd5811a5d305c4135946aca4c6e |
| SHA256 | 2d4e8a4cd4237904da94dba162e3a58cf7847f4f83eebbe379d761f4fe79c7c3 |
| SHA512 | 73479bde4f38ab45c52c498f4d7a1513510bbd13bd7f193853e0257886fa0b0e5591515ad6322ce21d7e1736bcc18429ae4de3e3b5128dd9f2135e5e68ed9440 |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | ea9c81183deabfbdad368b25aab223ff |
| SHA1 | 1af5db1cf2fe8997e46ac8a8609473ace517fee3 |
| SHA256 | 98c420cabe33830a0e0e2665029be913dcc38cfcc92d723cc5548f45d2580d1f |
| SHA512 | 70cbfb6160de92b2449cbef6f6cd61be0a15ccb34242ff5418e1df22046be2bd64f314e05f2ae4c7e3c82981fbe8daa3af459eda8ad7a5979d3dd305b21e8a8b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 261cad3829355ee152989f4fd170f2bd |
| SHA1 | c24ad48a91727956f875ea367fa4f8fc3a75ff6e |
| SHA256 | 7a3d979117a2eb33435467ab34963249935342a410ffaab2d8ab2aea01fb42bc |
| SHA512 | e89026bad45abd189f5fd3bcbbfd8e46314c42b6c85e0dc36feefd7c3321f2b4f29549bef4c83d1bcb8c2a8e19ec21c01a1be26cf8e7602396520e06ebad85ea |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 01:51
Reported
2024-10-09 09:21
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4356 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\poldge.exe |
| PID 4356 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\poldge.exe |
| PID 4356 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\poldge.exe |
| PID 4356 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4356 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4356 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28b6b0683f3e73644e6828fbaef101b6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| KR | 218.54.28.139:11120 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\poldge.exe
| MD5 | c16fba6758a2f11e2830dab50056b2e1 |
| SHA1 | c4aa893ca2821b46c81bd99cd890b5014602de03 |
| SHA256 | 71035f0074d049de0100d4d943faf476d71582913772fa22f644b0f28f1de8fe |
| SHA512 | 4094ecb08108ac0d7f71632181137525869ac7e835e53116592da26ce223a1ff313ce98c8ffe57d4dbcafd6b5c2069a83f22c3b456fa15d0515616a6f007ced9 |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | ea9c81183deabfbdad368b25aab223ff |
| SHA1 | 1af5db1cf2fe8997e46ac8a8609473ace517fee3 |
| SHA256 | 98c420cabe33830a0e0e2665029be913dcc38cfcc92d723cc5548f45d2580d1f |
| SHA512 | 70cbfb6160de92b2449cbef6f6cd61be0a15ccb34242ff5418e1df22046be2bd64f314e05f2ae4c7e3c82981fbe8daa3af459eda8ad7a5979d3dd305b21e8a8b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 261cad3829355ee152989f4fd170f2bd |
| SHA1 | c24ad48a91727956f875ea367fa4f8fc3a75ff6e |
| SHA256 | 7a3d979117a2eb33435467ab34963249935342a410ffaab2d8ab2aea01fb42bc |
| SHA512 | e89026bad45abd189f5fd3bcbbfd8e46314c42b6c85e0dc36feefd7c3321f2b4f29549bef4c83d1bcb8c2a8e19ec21c01a1be26cf8e7602396520e06ebad85ea |