Analysis

  • max time kernel
    91s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 15:35

General

  • Target

    3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe

  • Size

    235KB

  • MD5

    3acb5bb9fda51fa3ab0a140557827dfa

  • SHA1

    7c4b46d51217b769cf77354efb6aa3ebfb2da8a9

  • SHA256

    e6114989f8f8925c40f72aeda9791ac89effd4ff8097aea617e3d43254604245

  • SHA512

    8baeda5dc629dbd9bad255f0deb26d71a29c2ffbc49d7883bc6e5e42adb59c60544b5f688f6efac0201a04f494e566cd23936d908507ff44f246ee88fc809938

  • SSDEEP

    3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2K:ZASpvo0LKkRzpxJ2kRqroiK

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    7295fb9368a0ef278de4b9755bf9fa1b

    SHA1

    db5fa220d77ed7824ae0a4f822e0ce46010a5d77

    SHA256

    dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98

    SHA512

    dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    302B

    MD5

    738257222c3a75b45038af74dab702e2

    SHA1

    0000e6b5af00c950395b6d6cfff505ed8fba236c

    SHA256

    40a19efc33e90526bd8a093845b0dff43c8a2670b121d1f1f683a180eb210da2

    SHA512

    f2b21f6cd7a05dcb50a3bce04374d27c41182221affd385c8dba1f7ec91da51eaaf84e04ecd57d699d81cc8e84e8d1f19881e274647b9463553c38ad6dc98714

  • \Users\Admin\AppData\Local\Temp\huter.exe

    Filesize

    235KB

    MD5

    80ce05016e71ec4b79b8e103ca897b6d

    SHA1

    0986289bea1e700da264effc0151c785b07cba46

    SHA256

    fa6b49731c66b9a25a2b8e2bf05e2adc22cf6e0ce9d43b27f05071a7b89eaac7

    SHA512

    f773be2e39fffe5f612bc688fce3528228a8b1e0dd0ec43f2760e0ebb80070a392cd20c0b1d7c2ccd0b98a6624589a1daf4be1a7e00c4ba9cc893f219d653084

  • memory/2248-0-0x0000000000820000-0x000000000085D000-memory.dmp

    Filesize

    244KB

  • memory/2248-6-0x00000000003B0000-0x00000000003ED000-memory.dmp

    Filesize

    244KB

  • memory/2248-18-0x0000000000820000-0x000000000085D000-memory.dmp

    Filesize

    244KB

  • memory/2876-10-0x0000000000CC0000-0x0000000000CFD000-memory.dmp

    Filesize

    244KB

  • memory/2876-21-0x0000000000CC0000-0x0000000000CFD000-memory.dmp

    Filesize

    244KB

  • memory/2876-22-0x0000000000CC0000-0x0000000000CFD000-memory.dmp

    Filesize

    244KB