Analysis Overview
SHA256
ec8a947059fc22e6cf39eb70c83a734d3fdb9dccea70b9dd73e67a3f4b5f7c6d
Threat Level: Known bad
The file 340e7a400b655de787b990d2a9665524_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 08:26
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 08:26
Reported
2024-10-11 08:28
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dygym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ipbex.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dygym.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dygym.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ipbex.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\dygym.exe
"C:\Users\Admin\AppData\Local\Temp\dygym.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ipbex.exe
"C:\Users\Admin\AppData\Local\Temp\ipbex.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2084-0-0x0000000001250000-0x0000000001289000-memory.dmp
memory/2084-1-0x0000000000020000-0x0000000000022000-memory.dmp
\Users\Admin\AppData\Local\Temp\dygym.exe
| MD5 | 33e4603b0529a3aba7808f961f1a3581 |
| SHA1 | 93b94a0cd9ecdc77cf7d3a59bc5a045ad52866d3 |
| SHA256 | be8fdfe37d1cd50df1727cb6168cf2547469f1acf733c57f7137c1484eae3d10 |
| SHA512 | cf99501053b774be5c4e65a491f2f4495ff7094b32f6211e0180c486d0b77da338156b27726244023eb997ba378b1b8f10158b4fdd6cd93dfe65f8256b968611 |
memory/2084-7-0x00000000005A0000-0x00000000005D9000-memory.dmp
memory/2460-12-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2460-11-0x0000000000F60000-0x0000000000F99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0f684c8a85499790df9bcb9319a9bb01 |
| SHA1 | f312fc4c0e1c62201c27215d01f300b37511367f |
| SHA256 | bcb3fd44ce04f1c97d0c9b21639b7cad7cda0944884170f19e59cc4e169df24f |
| SHA512 | 659c9fa21ba4a29af6f302eeb813853783fae1b85f8e207eea5ddd48608c4e7ea1c6ae378069e2ca4b6f2039c154f9f89ace26044c28069814d74c29deca360b |
memory/2084-21-0x0000000001250000-0x0000000001289000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 361135e0d0ac3cb6f7c852ad99c78e2a |
| SHA1 | 53552ebb824337e7ad53fa5e64270c67083237c2 |
| SHA256 | 2c3c4797b603a264de9d41a9f5b72f44dbd3f257208872ee1655d328fe1db2f2 |
| SHA512 | d4e73b07111a21f3af8e579fafba3f5e559bfa9382a0e45798d0051a4a55fa8ffa51a9ac679f15a6adaf5cb4084e9bf67688f85d72947ec85c9d70a0de7695d0 |
memory/2460-24-0x0000000000F60000-0x0000000000F99000-memory.dmp
memory/2460-25-0x0000000000020000-0x0000000000022000-memory.dmp
\Users\Admin\AppData\Local\Temp\ipbex.exe
| MD5 | 4af3a88e289fed1af7baddc830bd5910 |
| SHA1 | f58890a420211f17f54cf4e3f777d68f959009a3 |
| SHA256 | adbf6363c40db11ba20750b10baf6933f6799f9a1771853e591e349997d540f6 |
| SHA512 | 03b1512d2e462b8558fbac12a4270b5b374c0dc6e20479a3cbeb3b8193e7b1bc46c4c007df89a4b7b120d02e1f32fa80f0eecef79ee78e4464c6022130a094e7 |
memory/2360-44-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2460-42-0x0000000003FF0000-0x00000000040AF000-memory.dmp
memory/2460-41-0x0000000000F60000-0x0000000000F99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dygym.exe
| MD5 | 5f73b8081edee6ff3b32ac25efe8f533 |
| SHA1 | 9745d2bcf94e25bab6543b5d448a622403db3cd5 |
| SHA256 | 40804f4cb1213e3daaa67709b03ebdef818f98fb24f73117d56705cf57115269 |
| SHA512 | e10914a3f33aa2bd6bfdedc66057b94313c259ae031a78c746bec53e3868ebb5161e49db3c5e21f47b0e5132b013f91ce34856ccca5d28820ad3ed84ac358053 |
memory/2360-46-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2360-47-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2360-48-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2360-49-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2360-50-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2360-51-0x0000000000400000-0x00000000004BF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 08:26
Reported
2024-10-11 08:28
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\issed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\issed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\komes.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\issed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\komes.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\issed.exe
"C:\Users\Admin\AppData\Local\Temp\issed.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\komes.exe
"C:\Users\Admin\AppData\Local\Temp\komes.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/1956-0-0x0000000000260000-0x0000000000299000-memory.dmp
memory/1956-1-0x0000000000820000-0x0000000000822000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\issed.exe
| MD5 | f9071f583bb24b9ea14bc5da27ae23d7 |
| SHA1 | 5b479dab7838dffacee9f04d5e420e2796b50bff |
| SHA256 | 38514f240c4491b7de6ffa77358fdcd4482bc9a64658fbd5c6c156a383524eb8 |
| SHA512 | ab24469de4e662eac6e16dbc8e0cef7bcf14f79f6a93fe651642ef4f9174dc48f6be4be6e4cbaa837e0c8d3d7412004d6956a6415bf91404286df19b2ed67971 |
memory/2212-13-0x0000000000030000-0x0000000000069000-memory.dmp
memory/1956-17-0x0000000000260000-0x0000000000299000-memory.dmp
memory/2212-14-0x0000000000C80000-0x0000000000C82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0f684c8a85499790df9bcb9319a9bb01 |
| SHA1 | f312fc4c0e1c62201c27215d01f300b37511367f |
| SHA256 | bcb3fd44ce04f1c97d0c9b21639b7cad7cda0944884170f19e59cc4e169df24f |
| SHA512 | 659c9fa21ba4a29af6f302eeb813853783fae1b85f8e207eea5ddd48608c4e7ea1c6ae378069e2ca4b6f2039c154f9f89ace26044c28069814d74c29deca360b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e0cc19d4e1c793aad2bfbcd11dee9c1d |
| SHA1 | ff7215917afee3f9808a2940c5635577cdf54087 |
| SHA256 | 2319f91febc8196ce96df481572fca81364195a0fd7884ac502f28eb66192a45 |
| SHA512 | ba62f1bf5d1ae9fcd238d0e59e12ce5798c96b65c71396af1eb3ab30aca5aacb6278d252ad1e48763f18c575790ad380373e7251e7a6021a8ebbf516cb6acc87 |
memory/2212-20-0x0000000000C80000-0x0000000000C82000-memory.dmp
memory/2212-21-0x0000000000030000-0x0000000000069000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\komes.exe
| MD5 | e367d980fd0991db362877727626f29f |
| SHA1 | 73b2ee5cfad099f1387c007579a0ced70950e1c6 |
| SHA256 | 9909e562ca1a9cde3435fa64221806487bbd5a49cb4c3277081161ec10cfc753 |
| SHA512 | efc37e20957cd5df849039668cd473d5ee437ce9f7b6fec00499416b502af0b8a81bcb7b9ac0e36452c4b3e0b517754639dcbbe9c1bf79006f0a74531957a6c9 |
memory/2212-40-0x0000000000030000-0x0000000000069000-memory.dmp
memory/1552-38-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1552-42-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1552-43-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1552-44-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1552-45-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1552-46-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1552-47-0x0000000000400000-0x00000000004BF000-memory.dmp