Analysis Overview
SHA256
92d5d96b775b95f06d4d5d27e063cc187f7af38fbf24f9314e5ed199da3ef8f1
Threat Level: Known bad
The file 3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 10:38
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 10:38
Reported
2024-10-12 10:40
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1864-0-0x00000000001D0000-0x0000000000204000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 07e5cb573a04819b5e2e6a70637840c8 |
| SHA1 | 48d7fb59ac0d0162fce21d33a994f74768e14794 |
| SHA256 | f939234e5293fb3758d688ae979429681e4c2ebe9ec4b3625591aa22fdfa2d10 |
| SHA512 | 0b2272df2a94834db264bbc92b74226fcda865bd54033703377d3373d741615804f9e8e53e594b5057c83aab0d4decf3dca3c92b5efcb48df11525bfba2ae18b |
memory/1864-6-0x00000000004C0000-0x00000000004F4000-memory.dmp
memory/2080-10-0x00000000000E0000-0x0000000000114000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 9f977c7bb354748c9f15380bc18f9b70 |
| SHA1 | b6db88571b919696f56d314af7f44a57c391e92f |
| SHA256 | 93194f3a481301602ebbd785c024a6b6b1b315164dcd6a4a02956223e2c75bfd |
| SHA512 | 3ad6f01bfad9c29b8a8c789ff2defc5f4cdb6833af900937eebf5d30b94c6f6e2004c8e6106d5d3d7bfb6ef5fd9123ccd67743f13ce0cb2631f9743d6cb94c72 |
memory/1864-18-0x00000000001D0000-0x0000000000204000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2776cde4761cefd1198f4712989957b1 |
| SHA1 | c801245a080524e704e8e3da95700e58e9d1ca3c |
| SHA256 | 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f |
| SHA512 | bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a |
memory/2080-21-0x00000000000E0000-0x0000000000114000-memory.dmp
memory/2080-22-0x00000000000E0000-0x0000000000114000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 10:38
Reported
2024-10-12 10:40
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1900 wrote to memory of 856 | N/A | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1900 wrote to memory of 856 | N/A | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1900 wrote to memory of 856 | N/A | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 1900 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1900 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1900 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3990f4b65ff91e1b5b56517fb2a6a7fc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1900-0-0x0000000000440000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 123a4d1c58209bc195d1691e62ea7893 |
| SHA1 | 0f21880192f65a40e5a2c3fd871f7eef979dcc85 |
| SHA256 | 0454bd0815f0ba9313e353a1bfd06f31dc8106c93edffdd6b66ab2fefbf43aea |
| SHA512 | 76398e6893ef866027591d4d955ae76009191db08542342def6777d8229a1b8372c23fbed80d22ae62f33dfed2b3c00088330c31f89d0bc363b558ca458842ed |
memory/856-12-0x0000000000F50000-0x0000000000F84000-memory.dmp
memory/1900-14-0x0000000000440000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 9f977c7bb354748c9f15380bc18f9b70 |
| SHA1 | b6db88571b919696f56d314af7f44a57c391e92f |
| SHA256 | 93194f3a481301602ebbd785c024a6b6b1b315164dcd6a4a02956223e2c75bfd |
| SHA512 | 3ad6f01bfad9c29b8a8c789ff2defc5f4cdb6833af900937eebf5d30b94c6f6e2004c8e6106d5d3d7bfb6ef5fd9123ccd67743f13ce0cb2631f9743d6cb94c72 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2776cde4761cefd1198f4712989957b1 |
| SHA1 | c801245a080524e704e8e3da95700e58e9d1ca3c |
| SHA256 | 69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f |
| SHA512 | bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a |
memory/856-17-0x0000000000F50000-0x0000000000F84000-memory.dmp
memory/856-18-0x0000000000F50000-0x0000000000F84000-memory.dmp