Analysis Overview
SHA256
ec7d6d3ac17ffbcff24403e02f18a154d1e6d3d9863e39cc64a44d84a57f547a
Threat Level: Known bad
The file 2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
ASPack v2.12-2.42
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 09:54
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 09:54
Reported
2024-10-09 22:40
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ubnyo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vuwir.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ubnyo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ubnyo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vuwir.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ubnyo.exe
"C:\Users\Admin\AppData\Local\Temp\ubnyo.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\vuwir.exe
"C:\Users\Admin\AppData\Local\Temp\vuwir.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2268-0-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ubnyo.exe
| MD5 | d700881ea23112212ea2c43e3cc6b2df |
| SHA1 | 2e34d54cc3ea9056f0ea032d9ecb25a3bfa6afb1 |
| SHA256 | b8299474343c86598c292d1b9b57f2bce49c17d9f917343ba6990cc85765b46b |
| SHA512 | 187cb3e2c7266d492113e3000d5bab734d8e2a2a2eda25a47da8f81f8e7ea08788ac990d22ce2abdf37f11372f101db6b58bfb6de75176b9f4d2e8e5d4be1948 |
memory/2268-17-0x0000000002430000-0x00000000024CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f6bce7c9dbb23e1d13d036e9c2056714 |
| SHA1 | 2c4404b246d8aaedbcfd41945807903316f5bdc1 |
| SHA256 | 817683ecbc9557248fd2df78e8454940cb6f9ed539998e954b809cd782cccc1d |
| SHA512 | a21e77fd7e281e2b33192e7860275d0bcc52767cb1c8782a45d4a51138d6f62caf8b9d8e9b86da014e4c8f82ea27092e388422c6d97ef73dcf5adef18b14f4cf |
memory/2788-22-0x0000000000400000-0x000000000049B000-memory.dmp
memory/2268-20-0x0000000002430000-0x00000000024CB000-memory.dmp
memory/2268-19-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2a29b049e5bfcb63ca5f2560248acb37 |
| SHA1 | cc6d0f33435639aff9e022cdeafbbaf8f7fa1971 |
| SHA256 | b8a692ca37cc2974830b73a5bdebf66054a3a829abc714f07000dcdabee57d44 |
| SHA512 | 1fbff2566e1ebf16199c798da389ddd7482b069ae8f5446c3ce9562eded2aa8bb4ba652f9ad55fca55eb1e760d2d7d08e362926dc1a46804e4ba73c1a5c0c8fe |
memory/2268-25-0x0000000002430000-0x00000000024CB000-memory.dmp
memory/2788-26-0x0000000000400000-0x000000000049B000-memory.dmp
\Users\Admin\AppData\Local\Temp\vuwir.exe
| MD5 | acd8723b2eb74497c52e65e8bbf88bc8 |
| SHA1 | 9ed3973bd00f2a7eaa88372d95fc4fe6b0c72aaf |
| SHA256 | b43f78d6b710651dbae61416e7c1810bacf128e5d2886fab1d308f2bcf3d73c0 |
| SHA512 | 9b02ceea3bbb607343c9ad62acaf7550a37d89354e8ca2e8dde73dc868f546d313541d004eaa2af4ba66845ab74425a192e1200f2dbb94659ef46968530757dd |
memory/2788-34-0x0000000000400000-0x000000000049B000-memory.dmp
memory/1656-37-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/1656-38-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/1656-36-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/1656-35-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/2788-31-0x0000000003C30000-0x0000000003CC4000-memory.dmp
memory/1656-40-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/1656-41-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/1656-42-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/1656-43-0x00000000013B0000-0x0000000001444000-memory.dmp
memory/1656-44-0x00000000013B0000-0x0000000001444000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 09:54
Reported
2024-10-09 22:41
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
96s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rydek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rydek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lopyp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rydek.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lopyp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\rydek.exe
"C:\Users\Admin\AppData\Local\Temp\rydek.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\lopyp.exe
"C:\Users\Admin\AppData\Local\Temp\lopyp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2372-0-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rydek.exe
| MD5 | a09000405ea920a01c1bcd74183f4575 |
| SHA1 | ef797613d279ac989164245f8448a5f368e5fbd5 |
| SHA256 | 80aca03090f60661f93d404fac4131d61e81e9c34dfdf25b6ce2aee60545c68e |
| SHA512 | 3b3074f2530528964ad8259d762c2c88b6f39d0844e1f9184f004e3a75c93b3db609e3221750b595293a058875f408f68a92f4632df322c9b7a9ea486ea43789 |
memory/3664-12-0x0000000000400000-0x000000000049B000-memory.dmp
memory/2372-14-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f6bce7c9dbb23e1d13d036e9c2056714 |
| SHA1 | 2c4404b246d8aaedbcfd41945807903316f5bdc1 |
| SHA256 | 817683ecbc9557248fd2df78e8454940cb6f9ed539998e954b809cd782cccc1d |
| SHA512 | a21e77fd7e281e2b33192e7860275d0bcc52767cb1c8782a45d4a51138d6f62caf8b9d8e9b86da014e4c8f82ea27092e388422c6d97ef73dcf5adef18b14f4cf |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1122c1c0c9fd1d0bbad046d1c7b7572f |
| SHA1 | e403add64b02ccb356e742351d44626f644d08f8 |
| SHA256 | c8ae38a58fe7e951fef9d9521bae68f05dc97d35388ee47cfb223139a0632b06 |
| SHA512 | 54de7800717ad6719c4ba598fd33c61edc4b21fc2445d37e98aadb6bc79c931f94ff04b942b5f1a5d0591d8bb5228d622e99925badd14d98dc4305d7ec010722 |
memory/3664-17-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lopyp.exe
| MD5 | 10aee9923fae4ef212f96c4a6a747766 |
| SHA1 | 6d76917916c3fc63fddd2e68a1a88aff1af796ed |
| SHA256 | 6f774d8dd7cc0218ea6f094f869d705473d833f1cf324844174ef070fa8890b2 |
| SHA512 | 19248fc0a82ad1ad0572023a9e11d0472e83358c2cc7d3edd02d5024c8daaf6530cbe4589fc3d9b66f7dcba774d8793f9b3a2119fc1130ba723ba68ee846a3ac |
memory/3128-26-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3128-29-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3664-30-0x0000000000400000-0x000000000049B000-memory.dmp
memory/3128-28-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3128-27-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3128-32-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3128-33-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3128-34-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3128-35-0x0000000000C50000-0x0000000000CE4000-memory.dmp
memory/3128-36-0x0000000000C50000-0x0000000000CE4000-memory.dmp