Malware Analysis Report

2024-11-16 13:26

Sample ID 241012-mpke1s1bnl
Target 3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118
SHA256 92d5d96b775b95f06d4d5d27e063cc187f7af38fbf24f9314e5ed199da3ef8f1
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92d5d96b775b95f06d4d5d27e063cc187f7af38fbf24f9314e5ed199da3ef8f1

Threat Level: Known bad

The file 3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 10:38

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 10:38

Reported

2024-10-12 10:40

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1864-0-0x00000000001D0000-0x0000000000204000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 07e5cb573a04819b5e2e6a70637840c8
SHA1 48d7fb59ac0d0162fce21d33a994f74768e14794
SHA256 f939234e5293fb3758d688ae979429681e4c2ebe9ec4b3625591aa22fdfa2d10
SHA512 0b2272df2a94834db264bbc92b74226fcda865bd54033703377d3373d741615804f9e8e53e594b5057c83aab0d4decf3dca3c92b5efcb48df11525bfba2ae18b

memory/1864-6-0x00000000004C0000-0x00000000004F4000-memory.dmp

memory/2080-10-0x00000000000E0000-0x0000000000114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 9f977c7bb354748c9f15380bc18f9b70
SHA1 b6db88571b919696f56d314af7f44a57c391e92f
SHA256 93194f3a481301602ebbd785c024a6b6b1b315164dcd6a4a02956223e2c75bfd
SHA512 3ad6f01bfad9c29b8a8c789ff2defc5f4cdb6833af900937eebf5d30b94c6f6e2004c8e6106d5d3d7bfb6ef5fd9123ccd67743f13ce0cb2631f9743d6cb94c72

memory/1864-18-0x00000000001D0000-0x0000000000204000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2776cde4761cefd1198f4712989957b1
SHA1 c801245a080524e704e8e3da95700e58e9d1ca3c
SHA256 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f
SHA512 bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a

memory/2080-21-0x00000000000E0000-0x0000000000114000-memory.dmp

memory/2080-22-0x00000000000E0000-0x0000000000114000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 10:38

Reported

2024-10-12 10:40

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.47.77:11150 tcp

Files

memory/1900-0-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 123a4d1c58209bc195d1691e62ea7893
SHA1 0f21880192f65a40e5a2c3fd871f7eef979dcc85
SHA256 0454bd0815f0ba9313e353a1bfd06f31dc8106c93edffdd6b66ab2fefbf43aea
SHA512 76398e6893ef866027591d4d955ae76009191db08542342def6777d8229a1b8372c23fbed80d22ae62f33dfed2b3c00088330c31f89d0bc363b558ca458842ed

memory/856-12-0x0000000000F50000-0x0000000000F84000-memory.dmp

memory/1900-14-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 9f977c7bb354748c9f15380bc18f9b70
SHA1 b6db88571b919696f56d314af7f44a57c391e92f
SHA256 93194f3a481301602ebbd785c024a6b6b1b315164dcd6a4a02956223e2c75bfd
SHA512 3ad6f01bfad9c29b8a8c789ff2defc5f4cdb6833af900937eebf5d30b94c6f6e2004c8e6106d5d3d7bfb6ef5fd9123ccd67743f13ce0cb2631f9743d6cb94c72

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2776cde4761cefd1198f4712989957b1
SHA1 c801245a080524e704e8e3da95700e58e9d1ca3c
SHA256 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f
SHA512 bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a

memory/856-17-0x0000000000F50000-0x0000000000F84000-memory.dmp

memory/856-18-0x0000000000F50000-0x0000000000F84000-memory.dmp