Malware Analysis Report

2024-11-16 13:24

Sample ID 241009-cmkynasflm
Target 28f75940f411b99ddc8effc0d621f299_JaffaCakes118
SHA256 76fdaf526b215d3177fb35cbd9173bd44053567c48773a7760fdcab6d1bb306f
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76fdaf526b215d3177fb35cbd9173bd44053567c48773a7760fdcab6d1bb306f

Threat Level: Known bad

The file 28f75940f411b99ddc8effc0d621f299_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 02:11

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 02:11

Reported

2024-10-09 09:52

Platform

win7-20240729-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2732-0-0x0000000000400000-0x0000000000437000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 139610afb915d17dd2ef2cab5fc9d0cd
SHA1 836dc1658d7b600ecacd7ac7914071f021fd78aa
SHA256 c6740034238de465644220a52b7ec730a86f98d0b42d2e4ed1c98a7d3d949431
SHA512 de5286454ace109ae3397527c795a35dfdb79e243f79958f6457964c2fd6690a2b11382fd319dd9a3bd4608fa7ef0aa84c1b77a77c4343202ab4c185534dbf5d

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 c9c803450c17d01b3d049ea54ca6798d
SHA1 4d37036d8aae7eb18ce09ca6d6ca50fae41d451c
SHA256 76de2239ed945de2c3acac685872e43e5cd080b9307f73e6f5055d947ccefa4f
SHA512 7f8d501217a1d8b5788ed46aa5144ed87778046bcc74b900b5249f60dc1b07becd55a7621e58eb8b7876c808bd113de20ea4b0546cd153b09892cd35433f7f3b

memory/2272-18-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2732-17-0x00000000025C0000-0x00000000025F7000-memory.dmp

memory/2732-16-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/2272-22-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2732-21-0x00000000025C0000-0x00000000025F7000-memory.dmp

memory/2272-23-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 02:11

Reported

2024-10-09 09:52

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\28f75940f411b99ddc8effc0d621f299_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3680-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 0a6556ec255cec257507499745183dda
SHA1 e6caa0d056fbb619537e68d29f9d78e2252e866a
SHA256 1949a0cd1a1b512ef9854a6ff20bd0f0973c52541eb4149cb97c04830541822b
SHA512 76a932fe9f68ec091b6204b6a75fd8f6f243bba56d90f4f031a9e3fe94bcf9a327bc676e39016919117936ed4f67c88070bf85153d27dfadf2ef074dd7e9ee72

memory/3680-16-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 c9c803450c17d01b3d049ea54ca6798d
SHA1 4d37036d8aae7eb18ce09ca6d6ca50fae41d451c
SHA256 76de2239ed945de2c3acac685872e43e5cd080b9307f73e6f5055d947ccefa4f
SHA512 7f8d501217a1d8b5788ed46aa5144ed87778046bcc74b900b5249f60dc1b07becd55a7621e58eb8b7876c808bd113de20ea4b0546cd153b09892cd35433f7f3b

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/2328-19-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2328-20-0x0000000000400000-0x0000000000437000-memory.dmp