Malware Analysis Report

2024-11-16 13:24

Sample ID 241009-hss44s1erk
Target 2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118
SHA256 ba2e63e4ad2987080a58a3a0baf5e31188ecd37ab3611e96bf7f88e2ef0b6dea
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba2e63e4ad2987080a58a3a0baf5e31188ecd37ab3611e96bf7f88e2ef0b6dea

Threat Level: Known bad

The file 2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 07:00

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 07:00

Reported

2024-10-09 18:21

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mokdhft.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mokdhft.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

"C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2468-0-0x0000000000E70000-0x0000000000EA4000-memory.dmp

memory/2820-10-0x00000000003D0000-0x0000000000404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

MD5 a0e8b2a10e141c7d2ef26ca2ac4b1804
SHA1 c8e2195a7b99eaaef91e425ff0d5d5573f2478a0
SHA256 8cd08ec130d1338f754402b89aee180f9d1bf9a33ccc42782a645b2cb12da98e
SHA512 489c109850678081c82b76a2397ef3578216b27787f43dc42e133fb660e7471452e5952ff046b139caff52a0550326b9ea5d9050239ae159e0fe06c62f28bafa

memory/2468-8-0x0000000000670000-0x00000000006A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 cd912d016bae529c7c31324ffcf32e72
SHA1 2b37e71836d20308540c1c1be1c94b8c6a265ed7
SHA256 9c018087482cae4e6c6b7d98f421d5c74b8764f1d455a35d5fb708f5e2f9044f
SHA512 0ab8eea7b5c4a37243db7457137e0a9229f89971382713d21204912712922abddb2780d9c87af65498b57832515c1e4c12a8dcd9f20b4b568247d75ed33d4b55

memory/2468-18-0x0000000000E70000-0x0000000000EA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 39e55c2b5135dd669ad371cc03d79fc2
SHA1 d027fea84a269f8e556dfb5411ac3d01b9311017
SHA256 ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919
SHA512 e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

memory/2820-21-0x00000000003D0000-0x0000000000404000-memory.dmp

memory/2820-22-0x00000000003D0000-0x0000000000404000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 07:00

Reported

2024-10-09 18:21

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mokdhft.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mokdhft.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2cdba1883ad901c226d88bf6399e04e8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

"C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 135.72.21.2.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4324-0-0x0000000000F90000-0x0000000000FC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

MD5 32032541a2c758c82ac1545275406875
SHA1 098b54050342fe40f593d9f8feabca5b52b4639b
SHA256 a0bbc2f8d44b70638d6181aa607971d13a4756be818196886149795a2f4e9860
SHA512 002ed6e02f11ddf3c3b239ca925903b1c6ddd3444b0bb934bfd10468e3d800ff029f2e7efec4905f87edb7affb45ee3ffb86d847935e5bfc0fbfcce12d7a9750

memory/3700-10-0x0000000000D60000-0x0000000000D94000-memory.dmp

memory/4324-14-0x0000000000F90000-0x0000000000FC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 cd912d016bae529c7c31324ffcf32e72
SHA1 2b37e71836d20308540c1c1be1c94b8c6a265ed7
SHA256 9c018087482cae4e6c6b7d98f421d5c74b8764f1d455a35d5fb708f5e2f9044f
SHA512 0ab8eea7b5c4a37243db7457137e0a9229f89971382713d21204912712922abddb2780d9c87af65498b57832515c1e4c12a8dcd9f20b4b568247d75ed33d4b55

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 39e55c2b5135dd669ad371cc03d79fc2
SHA1 d027fea84a269f8e556dfb5411ac3d01b9311017
SHA256 ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919
SHA512 e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

memory/3700-17-0x0000000000D60000-0x0000000000D94000-memory.dmp

memory/3700-18-0x0000000000D60000-0x0000000000D94000-memory.dmp