Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 15:35

General

  • Target

    3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe

  • Size

    235KB

  • MD5

    3acb5bb9fda51fa3ab0a140557827dfa

  • SHA1

    7c4b46d51217b769cf77354efb6aa3ebfb2da8a9

  • SHA256

    e6114989f8f8925c40f72aeda9791ac89effd4ff8097aea617e3d43254604245

  • SHA512

    8baeda5dc629dbd9bad255f0deb26d71a29c2ffbc49d7883bc6e5e42adb59c60544b5f688f6efac0201a04f494e566cd23936d908507ff44f246ee88fc809938

  • SSDEEP

    3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2K:ZASpvo0LKkRzpxJ2kRqroiK

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1352
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    7295fb9368a0ef278de4b9755bf9fa1b

    SHA1

    db5fa220d77ed7824ae0a4f822e0ce46010a5d77

    SHA256

    dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98

    SHA512

    dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

  • C:\Users\Admin\AppData\Local\Temp\huter.exe

    Filesize

    235KB

    MD5

    3c1baefee080fe75cf9082f87894a318

    SHA1

    6b36a08b3a8bdffba4b0b4d445ee084d5555a3b7

    SHA256

    2b019042495a6bb8e78ce37487b7436883a69ee5c787e62c53173d34fe823c44

    SHA512

    27c939e14c30002e7a692b5e714cb54e7a0a26ac89165628189121ca9479b665e20df71bea7486e9474a499f7064cd10ad9f0d0573f76fd107ad54d5f3d979d0

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    302B

    MD5

    738257222c3a75b45038af74dab702e2

    SHA1

    0000e6b5af00c950395b6d6cfff505ed8fba236c

    SHA256

    40a19efc33e90526bd8a093845b0dff43c8a2670b121d1f1f683a180eb210da2

    SHA512

    f2b21f6cd7a05dcb50a3bce04374d27c41182221affd385c8dba1f7ec91da51eaaf84e04ecd57d699d81cc8e84e8d1f19881e274647b9463553c38ad6dc98714

  • memory/1352-10-0x00000000002C0000-0x00000000002FD000-memory.dmp

    Filesize

    244KB

  • memory/1352-17-0x00000000002C0000-0x00000000002FD000-memory.dmp

    Filesize

    244KB

  • memory/1352-18-0x00000000002C0000-0x00000000002FD000-memory.dmp

    Filesize

    244KB

  • memory/2288-0-0x0000000000190000-0x00000000001CD000-memory.dmp

    Filesize

    244KB

  • memory/2288-14-0x0000000000190000-0x00000000001CD000-memory.dmp

    Filesize

    244KB