Malware Analysis Report

2024-11-16 13:25

Sample ID 241012-s1mx6sxfqd
Target 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118
SHA256 e6114989f8f8925c40f72aeda9791ac89effd4ff8097aea617e3d43254604245
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6114989f8f8925c40f72aeda9791ac89effd4ff8097aea617e3d43254604245

Threat Level: Known bad

The file 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 15:35

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 15:35

Reported

2024-10-12 15:38

Platform

win7-20241010-en

Max time kernel

91s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2248-0-0x0000000000820000-0x000000000085D000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 80ce05016e71ec4b79b8e103ca897b6d
SHA1 0986289bea1e700da264effc0151c785b07cba46
SHA256 fa6b49731c66b9a25a2b8e2bf05e2adc22cf6e0ce9d43b27f05071a7b89eaac7
SHA512 f773be2e39fffe5f612bc688fce3528228a8b1e0dd0ec43f2760e0ebb80070a392cd20c0b1d7c2ccd0b98a6624589a1daf4be1a7e00c4ba9cc893f219d653084

memory/2248-6-0x00000000003B0000-0x00000000003ED000-memory.dmp

memory/2876-10-0x0000000000CC0000-0x0000000000CFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 738257222c3a75b45038af74dab702e2
SHA1 0000e6b5af00c950395b6d6cfff505ed8fba236c
SHA256 40a19efc33e90526bd8a093845b0dff43c8a2670b121d1f1f683a180eb210da2
SHA512 f2b21f6cd7a05dcb50a3bce04374d27c41182221affd385c8dba1f7ec91da51eaaf84e04ecd57d699d81cc8e84e8d1f19881e274647b9463553c38ad6dc98714

memory/2248-18-0x0000000000820000-0x000000000085D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7295fb9368a0ef278de4b9755bf9fa1b
SHA1 db5fa220d77ed7824ae0a4f822e0ce46010a5d77
SHA256 dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98
SHA512 dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

memory/2876-21-0x0000000000CC0000-0x0000000000CFD000-memory.dmp

memory/2876-22-0x0000000000CC0000-0x0000000000CFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 15:35

Reported

2024-10-12 15:38

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2288-0-0x0000000000190000-0x00000000001CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 3c1baefee080fe75cf9082f87894a318
SHA1 6b36a08b3a8bdffba4b0b4d445ee084d5555a3b7
SHA256 2b019042495a6bb8e78ce37487b7436883a69ee5c787e62c53173d34fe823c44
SHA512 27c939e14c30002e7a692b5e714cb54e7a0a26ac89165628189121ca9479b665e20df71bea7486e9474a499f7064cd10ad9f0d0573f76fd107ad54d5f3d979d0

memory/1352-10-0x00000000002C0000-0x00000000002FD000-memory.dmp

memory/2288-14-0x0000000000190000-0x00000000001CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 738257222c3a75b45038af74dab702e2
SHA1 0000e6b5af00c950395b6d6cfff505ed8fba236c
SHA256 40a19efc33e90526bd8a093845b0dff43c8a2670b121d1f1f683a180eb210da2
SHA512 f2b21f6cd7a05dcb50a3bce04374d27c41182221affd385c8dba1f7ec91da51eaaf84e04ecd57d699d81cc8e84e8d1f19881e274647b9463553c38ad6dc98714

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7295fb9368a0ef278de4b9755bf9fa1b
SHA1 db5fa220d77ed7824ae0a4f822e0ce46010a5d77
SHA256 dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98
SHA512 dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

memory/1352-17-0x00000000002C0000-0x00000000002FD000-memory.dmp

memory/1352-18-0x00000000002C0000-0x00000000002FD000-memory.dmp