Analysis Overview
SHA256
32c32ba223885385007dea2bb1904096b4dbf7dd6de2d4d816e3d600bb960cbe
Threat Level: Known bad
The file 373212a60a8702b87c205cf0179d423d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 22:48
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 22:48
Reported
2024-10-11 22:51
Platform
win7-20240729-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agboy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wicic.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agboy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wicic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\agboy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\wicic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wicic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\agboy.exe
"C:\Users\Admin\AppData\Local\Temp\agboy.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\wicic.exe
"C:\Users\Admin\AppData\Local\Temp\wicic.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2932-0-0x0000000000EA0000-0x0000000000F69000-memory.dmp
\Users\Admin\AppData\Local\Temp\agboy.exe
| MD5 | bd0e38975ac84dd13a020fe06e2154f0 |
| SHA1 | f387bd605c3189f8a844cb8d996278cc084ff902 |
| SHA256 | 8316bcdcc97a6f922157a28408dcff28a45d3199a37344e1d6f03e7cfdeafe97 |
| SHA512 | 802d1a0db08039b7c25644097466f81b6ebe425921b8820881f695d1dc5bbf9fac2d452c4113a52eb55d7dd1aa0f8fe1c83a484dc2695eccd1f08e334645ee88 |
memory/2932-16-0x0000000002640000-0x0000000002709000-memory.dmp
memory/2384-18-0x0000000000E80000-0x0000000000F49000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9e1b9b2ae3f5753a19953a29c9068a4a |
| SHA1 | 15d49110d07d55455262ee187f5e69f258bbcf5a |
| SHA256 | 5cf8853f308c6a39871a5a9a9d6eb32e904a401de7ab4adef58be92b6c085507 |
| SHA512 | e1b1b722ce035d7ca761e05871409ea2021cc9b6618a752103e49fbbdc6eab395e887a63f1ba556a01062ac9e457e286996aa7b4c57069f15fc721e7df485937 |
memory/2932-15-0x0000000000EA0000-0x0000000000F69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1daff93c5de03c009628a9c9a0f72705 |
| SHA1 | 4d2ec09c708e4410210b69bfc4cfcb6919f8dca6 |
| SHA256 | cb62e840f47b1054bbe85a04a663c7867d39d456f2d5c1f0f8cddd59742cc5c9 |
| SHA512 | 3c6129d93ba06d488304b28039f218ebdee92b358ff17d84a284660e7e78a375fdf1ab7822737682d5b6fe2819b6f32e91bbc883b346d1b35871058a5432f6b5 |
memory/2932-21-0x0000000002640000-0x0000000002709000-memory.dmp
memory/2384-22-0x0000000000E80000-0x0000000000F49000-memory.dmp
\Users\Admin\AppData\Local\Temp\wicic.exe
| MD5 | 083573d4e6de88d81f80a586665c53cd |
| SHA1 | 5e164d308015c621efa8a99a08d711e6d832934d |
| SHA256 | caca43c976e84713a387c37c143a800814af19745caf8a83002daf1c55f71e97 |
| SHA512 | 61101e69cf59a6f6e40b1c604e0cda600f0443f1502db5de33dc26855c388805716cadf59bdd4a00f9d7bbdbf71915e06927bf8b1f1460eadbb97f0fbf26ed22 |
memory/2384-26-0x0000000003C90000-0x0000000003D1F000-memory.dmp
memory/2288-31-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2384-30-0x0000000000E80000-0x0000000000F49000-memory.dmp
memory/2288-33-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2288-34-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2288-35-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2288-36-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2288-37-0x0000000000400000-0x000000000048F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 22:48
Reported
2024-10-11 22:51
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\lalup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lalup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiydm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hiydm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lalup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\hiydm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hiydm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\lalup.exe
"C:\Users\Admin\AppData\Local\Temp\lalup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\hiydm.exe
"C:\Users\Admin\AppData\Local\Temp\hiydm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2608-0-0x0000000000EF0000-0x0000000000FB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lalup.exe
| MD5 | a257946c23b0c93ac4549b3344f41660 |
| SHA1 | 09ccb84ddd2492904d767d7bbb339c6fe9758db7 |
| SHA256 | 61d8add624146599188ed72bf8c9a744fb954a78425aa76b49d949d016561b00 |
| SHA512 | 9f6eae5e07fb04cdaf9de7a0f105a9bf745427d80f2fd3f08d3ac1c6f03e28c993dccf2319cd9dcd8aaf8337c3b44f6d5724fb57ca9be64474bea3610fb8289b |
memory/3092-12-0x0000000000BE0000-0x0000000000CA9000-memory.dmp
memory/2608-14-0x0000000000EF0000-0x0000000000FB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9e1b9b2ae3f5753a19953a29c9068a4a |
| SHA1 | 15d49110d07d55455262ee187f5e69f258bbcf5a |
| SHA256 | 5cf8853f308c6a39871a5a9a9d6eb32e904a401de7ab4adef58be92b6c085507 |
| SHA512 | e1b1b722ce035d7ca761e05871409ea2021cc9b6618a752103e49fbbdc6eab395e887a63f1ba556a01062ac9e457e286996aa7b4c57069f15fc721e7df485937 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0ebbc74a72a0dc587cbcb3eadca93b71 |
| SHA1 | 0c6ecb9d679fed33e5c612fe9e480846986860f0 |
| SHA256 | 63e97c420a8068bfe1f598612f1b32df22024684509ac159c90ed54382dfaedf |
| SHA512 | 1585007a397f003191cc961cbffd1a332720d60a0e9a8af63b8143407afab26598e43341845f7d92f3692fb1d90ba199ca320a4451a4f9ff10385a03f14bf847 |
memory/3092-17-0x0000000000BE0000-0x0000000000CA9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hiydm.exe
| MD5 | fd98ca9c6ddd8da79878490f828c6e17 |
| SHA1 | f9c0f051abb5a441d55f6caf2ce1ea3ee8cb789d |
| SHA256 | ea4b738efa276773f0e2001adb17912b92e4da33829f1d4fb4034b40194ba236 |
| SHA512 | 2295e47e8c70cd73d5728d4e9ec4c5803dd5d1859c2a1faa1bb75aea6db17328bfe7512a3c069a8f17bf3db7316f5d5d380e4902b131a0f832f93b99f079cc79 |
memory/3092-28-0x0000000000BE0000-0x0000000000CA9000-memory.dmp
memory/1528-27-0x00000000005C0000-0x00000000005C2000-memory.dmp
memory/1528-26-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1528-31-0x00000000005C0000-0x00000000005C2000-memory.dmp
memory/1528-30-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1528-32-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1528-33-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1528-34-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1528-35-0x0000000000400000-0x000000000048F000-memory.dmp