Analysis Overview
SHA256
9d8ba9c823ce72c9b097232772311d11a06df8ec3e49d091a1a3eafc63f3bb66
Threat Level: Known bad
The file 2e179cddc3d5076a499c26ad79385813_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 08:41
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 08:41
Reported
2024-10-09 20:57
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2388-0-0x0000000000D90000-0x0000000000DC4000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | af3acb1955746b260b88789e880fdc4d |
| SHA1 | 566a05692772abad252eae3294eee1f3b97b05ca |
| SHA256 | 5ad92ca566de9bab0fb38fd5a0d8d6b6c431c273875504ae3bdf20a95698995f |
| SHA512 | 25ec642a3d9a9aac554fe4a1841109855a266b6a57057beb2c75ca0053991a16cb5154552895b2e3ee00fe8acc947d13342937ce010e766eb7d64182923932d7 |
memory/2388-6-0x00000000005A0000-0x00000000005D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3c2aab2d176c03b90960225075091c0c |
| SHA1 | 7b7587dc215b4d3a13bf54209b575c0bbc32424f |
| SHA256 | 090d67342960293efc9ba39d584dfd3c573a71034a97f55b5927466e58591510 |
| SHA512 | 119ba2fbb36352cae2d2bbb6379666bb1be8becd8075a939440a7e5e0acec7c3fdbbe7b8eb92ac9df8dde9e13e8509992e48ee9aa421b3a10201c7d35ab04339 |
memory/2388-17-0x0000000000D90000-0x0000000000DC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2776cde4761cefd1198f4712989957b1 |
| SHA1 | c801245a080524e704e8e3da95700e58e9d1ca3c |
| SHA256 | 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f |
| SHA512 | bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a |
memory/2920-20-0x0000000001370000-0x00000000013A4000-memory.dmp
memory/2920-21-0x0000000001370000-0x00000000013A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 08:41
Reported
2024-10-09 20:57
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5072 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 5072 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 5072 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 5072 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5072 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5072 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/5072-0-0x0000000000450000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | ec69726afd74da10d121e5fe44636bcf |
| SHA1 | 34cae97e3c2e2e4a45bb95ee1793032be11acd69 |
| SHA256 | e8d338298e92b0829dfb77fab8e6b4c8c6bd69da09c979267c35abcdefb3f3bb |
| SHA512 | 0f1f978fe26bb39843768e9f210c8ea1e830f3f87e4dd24e5178cabeee9a79510c26af577614c296b0f68cfa0a387e430e69b2075370d29426028760ba18da29 |
memory/4504-10-0x0000000000750000-0x0000000000784000-memory.dmp
memory/5072-14-0x0000000000450000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3c2aab2d176c03b90960225075091c0c |
| SHA1 | 7b7587dc215b4d3a13bf54209b575c0bbc32424f |
| SHA256 | 090d67342960293efc9ba39d584dfd3c573a71034a97f55b5927466e58591510 |
| SHA512 | 119ba2fbb36352cae2d2bbb6379666bb1be8becd8075a939440a7e5e0acec7c3fdbbe7b8eb92ac9df8dde9e13e8509992e48ee9aa421b3a10201c7d35ab04339 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2776cde4761cefd1198f4712989957b1 |
| SHA1 | c801245a080524e704e8e3da95700e58e9d1ca3c |
| SHA256 | 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f |
| SHA512 | bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a |
memory/4504-17-0x0000000000750000-0x0000000000784000-memory.dmp
memory/4504-18-0x0000000000750000-0x0000000000784000-memory.dmp