Analysis Overview
SHA256
5c933f953f22be853de3a792afed1fc65eaa3ce8dba347c442a21a52e9a29135
Threat Level: Known bad
The file 32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Checks computer location settings
Executes dropped EXE
UPX packed file
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 01:53
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 01:53
Reported
2024-10-11 01:56
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\puibe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\puibe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dytuz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\puibe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dytuz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\puibe.exe
"C:\Users\Admin\AppData\Local\Temp\puibe.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\dytuz.exe
"C:\Users\Admin\AppData\Local\Temp\dytuz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4260-0-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\puibe.exe
| MD5 | ad59d3d9e5d97b15a5d22ac1e9e24d72 |
| SHA1 | 42ddb1968bcf10bbfb0876b29cc28e8dd0c75b3d |
| SHA256 | 3a5b5b0705448337714042bef57283eb7c7e7b5995e5b6b29e29a8c1dfdeb2f2 |
| SHA512 | fc3f5cb4a5c9e2294a91815768ad66b6ea4af8987f22845bdc0e32ec39477876c7a264306043ffd75d3b8a851266cd15116a0440b41aabee1eaee608478d36c7 |
memory/4260-14-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | aacb2d05b6a63b73425c0a456d6c9515 |
| SHA1 | 9d4dff3004bea0f6b21e63015fed3fbaa9c08019 |
| SHA256 | a228b5de5dd08f682c60fb8ab5236e438f83439dca904848a792b0f601eea1c4 |
| SHA512 | 6a72f9e733e4e41d0fa37b9defdbf3d2750d673a19753c7115b086e1526c2b4d5411247214ab0140f252840f73830dd526a6ae13252db1787eb769f0deee6d3d |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 50109fca6b027fd21239e9880f1d4b38 |
| SHA1 | 172b185589ece57be600700494a73e303c6b0977 |
| SHA256 | 20778732fe648695c953597c326edbb90b1b11a36130ab66c1ccdbaca460cad5 |
| SHA512 | 1c0488d24c90ae75b23b552488534075aed92ca0e74e37a9513e85592da89d6dfb0a2b6401a4c1a737f94a2d17125f952c9ceca7f5126ceddd5bd30304a34d63 |
memory/3484-17-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dytuz.exe
| MD5 | 55e8d8e1c8d128db6fa7cf3bec1d8117 |
| SHA1 | 8828432aa2187472a5b6872cc17f84f289b19896 |
| SHA256 | d2318c934445f63f8f5282b6bde86fec236486dd9632427dda6f2f38b5660ffc |
| SHA512 | e951a86d98c6b4a3c2ad72bdc7c1f976ed5913caa1b2541802bfe5cce08a1697c20cf00b0a59a15f9a0e6acfea4ad5ee3a12261f372b8bf805218418cec6241d |
memory/3484-37-0x0000000000400000-0x0000000000489000-memory.dmp
memory/3644-35-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/3644-34-0x0000000000E80000-0x0000000000F36000-memory.dmp
memory/3644-39-0x0000000000E80000-0x0000000000F36000-memory.dmp
memory/3644-40-0x0000000000E80000-0x0000000000F36000-memory.dmp
memory/3644-41-0x0000000000E80000-0x0000000000F36000-memory.dmp
memory/3644-42-0x0000000000E80000-0x0000000000F36000-memory.dmp
memory/3644-43-0x0000000000E80000-0x0000000000F36000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 01:53
Reported
2024-10-11 01:56
Platform
win7-20241010-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zepyh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jyneg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zepyh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zepyh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jyneg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\zepyh.exe
"C:\Users\Admin\AppData\Local\Temp\zepyh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\jyneg.exe
"C:\Users\Admin\AppData\Local\Temp\jyneg.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1488-0-0x0000000000400000-0x0000000000489000-memory.dmp
\Users\Admin\AppData\Local\Temp\zepyh.exe
| MD5 | 0f6ee442c9c6353e3bb8850b41a8d79b |
| SHA1 | 7d583933b7388762b6b824d22f3a9e8c37f5fadc |
| SHA256 | 5513affdde0b56b6563350538d29107c303a389383f3fe44b64be670193c2440 |
| SHA512 | 513efffb708e0ace60220e2d0645da2f00651b77af0396bcc571d500b4611cfbd5cdf50020d2aedd3660b6e85c6a9498632de00dfed4e54564d6d84e9491e301 |
memory/2544-16-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | aacb2d05b6a63b73425c0a456d6c9515 |
| SHA1 | 9d4dff3004bea0f6b21e63015fed3fbaa9c08019 |
| SHA256 | a228b5de5dd08f682c60fb8ab5236e438f83439dca904848a792b0f601eea1c4 |
| SHA512 | 6a72f9e733e4e41d0fa37b9defdbf3d2750d673a19753c7115b086e1526c2b4d5411247214ab0140f252840f73830dd526a6ae13252db1787eb769f0deee6d3d |
memory/1488-8-0x0000000002650000-0x00000000026D9000-memory.dmp
memory/1488-19-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 31f11933d98d74a23de7aea4824de3dc |
| SHA1 | c14c3cd34f9c62fda007048211ab1f5c1cfae4af |
| SHA256 | fa0ad499f5d403a69539b933f4d9962b6d5206deb3c4c723fd29a22bebbca81a |
| SHA512 | d5ef6cc65f2a871b24ac4ec53fc31f97a9bebb8afd84517030fb153ee5435075796f26ff57074124b6e3a989101f82a673f3201d39e866292760f6a8f094b96e |
memory/2544-23-0x0000000000400000-0x0000000000489000-memory.dmp
memory/3060-41-0x0000000000130000-0x00000000001E6000-memory.dmp
memory/2544-40-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jyneg.exe
| MD5 | 4482cd3e1a432cb0380c1343c6e86207 |
| SHA1 | 7d2cf5e76015a48b3c63aa8b23b3bc03209e81a8 |
| SHA256 | aefa7bbdb88461fa9dcd7180661b4a704aa090103667517d2714ca9a22fdfca1 |
| SHA512 | b2a189ba59a33ad7a997dc6d0537578204163da1a9f98db9834631bf2a5d0b0e7d55e66f6085f1a4766bf337dc9d3a48404821a588f869e165d16e2ab123374c |
memory/2544-38-0x0000000003C60000-0x0000000003D16000-memory.dmp
memory/3060-43-0x0000000000130000-0x00000000001E6000-memory.dmp
memory/3060-44-0x0000000000130000-0x00000000001E6000-memory.dmp
memory/3060-45-0x0000000000130000-0x00000000001E6000-memory.dmp
memory/3060-46-0x0000000000130000-0x00000000001E6000-memory.dmp
memory/3060-47-0x0000000000130000-0x00000000001E6000-memory.dmp