Analysis Overview
SHA256
ba2e63e4ad2987080a58a3a0baf5e31188ecd37ab3611e96bf7f88e2ef0b6dea
Threat Level: Known bad
The file 2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 07:00
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 07:00
Reported
2024-10-09 18:21
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mokdhft.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mokdhft.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
"C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2468-0-0x0000000000E70000-0x0000000000EA4000-memory.dmp
memory/2820-10-0x00000000003D0000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
| MD5 | a0e8b2a10e141c7d2ef26ca2ac4b1804 |
| SHA1 | c8e2195a7b99eaaef91e425ff0d5d5573f2478a0 |
| SHA256 | 8cd08ec130d1338f754402b89aee180f9d1bf9a33ccc42782a645b2cb12da98e |
| SHA512 | 489c109850678081c82b76a2397ef3578216b27787f43dc42e133fb660e7471452e5952ff046b139caff52a0550326b9ea5d9050239ae159e0fe06c62f28bafa |
memory/2468-8-0x0000000000670000-0x00000000006A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | cd912d016bae529c7c31324ffcf32e72 |
| SHA1 | 2b37e71836d20308540c1c1be1c94b8c6a265ed7 |
| SHA256 | 9c018087482cae4e6c6b7d98f421d5c74b8764f1d455a35d5fb708f5e2f9044f |
| SHA512 | 0ab8eea7b5c4a37243db7457137e0a9229f89971382713d21204912712922abddb2780d9c87af65498b57832515c1e4c12a8dcd9f20b4b568247d75ed33d4b55 |
memory/2468-18-0x0000000000E70000-0x0000000000EA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 39e55c2b5135dd669ad371cc03d79fc2 |
| SHA1 | d027fea84a269f8e556dfb5411ac3d01b9311017 |
| SHA256 | ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919 |
| SHA512 | e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280 |
memory/2820-21-0x00000000003D0000-0x0000000000404000-memory.dmp
memory/2820-22-0x00000000003D0000-0x0000000000404000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 07:00
Reported
2024-10-09 18:21
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mokdhft.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mokdhft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4324 wrote to memory of 3700 | N/A | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\mokdhft.exe |
| PID 4324 wrote to memory of 3700 | N/A | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\mokdhft.exe |
| PID 4324 wrote to memory of 3700 | N/A | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\mokdhft.exe |
| PID 4324 wrote to memory of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4324 wrote to memory of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4324 wrote to memory of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
"C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 135.72.21.2.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4324-0-0x0000000000F90000-0x0000000000FC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
| MD5 | 32032541a2c758c82ac1545275406875 |
| SHA1 | 098b54050342fe40f593d9f8feabca5b52b4639b |
| SHA256 | a0bbc2f8d44b70638d6181aa607971d13a4756be818196886149795a2f4e9860 |
| SHA512 | 002ed6e02f11ddf3c3b239ca925903b1c6ddd3444b0bb934bfd10468e3d800ff029f2e7efec4905f87edb7affb45ee3ffb86d847935e5bfc0fbfcce12d7a9750 |
memory/3700-10-0x0000000000D60000-0x0000000000D94000-memory.dmp
memory/4324-14-0x0000000000F90000-0x0000000000FC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | cd912d016bae529c7c31324ffcf32e72 |
| SHA1 | 2b37e71836d20308540c1c1be1c94b8c6a265ed7 |
| SHA256 | 9c018087482cae4e6c6b7d98f421d5c74b8764f1d455a35d5fb708f5e2f9044f |
| SHA512 | 0ab8eea7b5c4a37243db7457137e0a9229f89971382713d21204912712922abddb2780d9c87af65498b57832515c1e4c12a8dcd9f20b4b568247d75ed33d4b55 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 39e55c2b5135dd669ad371cc03d79fc2 |
| SHA1 | d027fea84a269f8e556dfb5411ac3d01b9311017 |
| SHA256 | ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919 |
| SHA512 | e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280 |
memory/3700-17-0x0000000000D60000-0x0000000000D94000-memory.dmp
memory/3700-18-0x0000000000D60000-0x0000000000D94000-memory.dmp