Malware Analysis Report

2024-11-16 13:25

Sample ID 241009-kll4bszeml
Target 2e179cddc3d5076a499c26ad79385813_JaffaCakes118
SHA256 9d8ba9c823ce72c9b097232772311d11a06df8ec3e49d091a1a3eafc63f3bb66
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d8ba9c823ce72c9b097232772311d11a06df8ec3e49d091a1a3eafc63f3bb66

Threat Level: Known bad

The file 2e179cddc3d5076a499c26ad79385813_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 08:41

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 08:41

Reported

2024-10-09 20:57

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2388-0-0x0000000000D90000-0x0000000000DC4000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 af3acb1955746b260b88789e880fdc4d
SHA1 566a05692772abad252eae3294eee1f3b97b05ca
SHA256 5ad92ca566de9bab0fb38fd5a0d8d6b6c431c273875504ae3bdf20a95698995f
SHA512 25ec642a3d9a9aac554fe4a1841109855a266b6a57057beb2c75ca0053991a16cb5154552895b2e3ee00fe8acc947d13342937ce010e766eb7d64182923932d7

memory/2388-6-0x00000000005A0000-0x00000000005D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3c2aab2d176c03b90960225075091c0c
SHA1 7b7587dc215b4d3a13bf54209b575c0bbc32424f
SHA256 090d67342960293efc9ba39d584dfd3c573a71034a97f55b5927466e58591510
SHA512 119ba2fbb36352cae2d2bbb6379666bb1be8becd8075a939440a7e5e0acec7c3fdbbe7b8eb92ac9df8dde9e13e8509992e48ee9aa421b3a10201c7d35ab04339

memory/2388-17-0x0000000000D90000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2776cde4761cefd1198f4712989957b1
SHA1 c801245a080524e704e8e3da95700e58e9d1ca3c
SHA256 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f
SHA512 bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a

memory/2920-20-0x0000000001370000-0x00000000013A4000-memory.dmp

memory/2920-21-0x0000000001370000-0x00000000013A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 08:41

Reported

2024-10-09 20:57

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e179cddc3d5076a499c26ad79385813_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/5072-0-0x0000000000450000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 ec69726afd74da10d121e5fe44636bcf
SHA1 34cae97e3c2e2e4a45bb95ee1793032be11acd69
SHA256 e8d338298e92b0829dfb77fab8e6b4c8c6bd69da09c979267c35abcdefb3f3bb
SHA512 0f1f978fe26bb39843768e9f210c8ea1e830f3f87e4dd24e5178cabeee9a79510c26af577614c296b0f68cfa0a387e430e69b2075370d29426028760ba18da29

memory/4504-10-0x0000000000750000-0x0000000000784000-memory.dmp

memory/5072-14-0x0000000000450000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3c2aab2d176c03b90960225075091c0c
SHA1 7b7587dc215b4d3a13bf54209b575c0bbc32424f
SHA256 090d67342960293efc9ba39d584dfd3c573a71034a97f55b5927466e58591510
SHA512 119ba2fbb36352cae2d2bbb6379666bb1be8becd8075a939440a7e5e0acec7c3fdbbe7b8eb92ac9df8dde9e13e8509992e48ee9aa421b3a10201c7d35ab04339

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2776cde4761cefd1198f4712989957b1
SHA1 c801245a080524e704e8e3da95700e58e9d1ca3c
SHA256 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f
SHA512 bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a

memory/4504-17-0x0000000000750000-0x0000000000784000-memory.dmp

memory/4504-18-0x0000000000750000-0x0000000000784000-memory.dmp