Analysis Overview
SHA256
76fdaf526b215d3177fb35cbd9173bd44053567c48773a7760fdcab6d1bb306f
Threat Level: Known bad
The file 28f75940f411b99ddc8effc0d621f299_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 02:11
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 02:11
Reported
2024-10-09 09:52
Platform
win7-20240729-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2732-0-0x0000000000400000-0x0000000000437000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 139610afb915d17dd2ef2cab5fc9d0cd |
| SHA1 | 836dc1658d7b600ecacd7ac7914071f021fd78aa |
| SHA256 | c6740034238de465644220a52b7ec730a86f98d0b42d2e4ed1c98a7d3d949431 |
| SHA512 | de5286454ace109ae3397527c795a35dfdb79e243f79958f6457964c2fd6690a2b11382fd319dd9a3bd4608fa7ef0aa84c1b77a77c4343202ab4c185534dbf5d |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | c9c803450c17d01b3d049ea54ca6798d |
| SHA1 | 4d37036d8aae7eb18ce09ca6d6ca50fae41d451c |
| SHA256 | 76de2239ed945de2c3acac685872e43e5cd080b9307f73e6f5055d947ccefa4f |
| SHA512 | 7f8d501217a1d8b5788ed46aa5144ed87778046bcc74b900b5249f60dc1b07becd55a7621e58eb8b7876c808bd113de20ea4b0546cd153b09892cd35433f7f3b |
memory/2272-18-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2732-17-0x00000000025C0000-0x00000000025F7000-memory.dmp
memory/2732-16-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 02167b944a214fee3d34f9a7e356dc6a |
| SHA1 | ca5b3f38a7151268726401593eb35f9b67bdde97 |
| SHA256 | 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d |
| SHA512 | c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817 |
memory/2272-22-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2732-21-0x00000000025C0000-0x00000000025F7000-memory.dmp
memory/2272-23-0x0000000000400000-0x0000000000437000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 02:11
Reported
2024-10-09 09:52
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3680 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3680 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3680 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3680 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3680 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3680 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3680-0-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 0a6556ec255cec257507499745183dda |
| SHA1 | e6caa0d056fbb619537e68d29f9d78e2252e866a |
| SHA256 | 1949a0cd1a1b512ef9854a6ff20bd0f0973c52541eb4149cb97c04830541822b |
| SHA512 | 76a932fe9f68ec091b6204b6a75fd8f6f243bba56d90f4f031a9e3fe94bcf9a327bc676e39016919117936ed4f67c88070bf85153d27dfadf2ef074dd7e9ee72 |
memory/3680-16-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | c9c803450c17d01b3d049ea54ca6798d |
| SHA1 | 4d37036d8aae7eb18ce09ca6d6ca50fae41d451c |
| SHA256 | 76de2239ed945de2c3acac685872e43e5cd080b9307f73e6f5055d947ccefa4f |
| SHA512 | 7f8d501217a1d8b5788ed46aa5144ed87778046bcc74b900b5249f60dc1b07becd55a7621e58eb8b7876c808bd113de20ea4b0546cd153b09892cd35433f7f3b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 02167b944a214fee3d34f9a7e356dc6a |
| SHA1 | ca5b3f38a7151268726401593eb35f9b67bdde97 |
| SHA256 | 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d |
| SHA512 | c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817 |
memory/2328-19-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2328-20-0x0000000000400000-0x0000000000437000-memory.dmp