Analysis Overview
SHA256
e6114989f8f8925c40f72aeda9791ac89effd4ff8097aea617e3d43254604245
Threat Level: Known bad
The file 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 15:35
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 15:35
Reported
2024-10-12 15:38
Platform
win7-20241010-en
Max time kernel
91s
Max time network
97s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2248-0-0x0000000000820000-0x000000000085D000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 80ce05016e71ec4b79b8e103ca897b6d |
| SHA1 | 0986289bea1e700da264effc0151c785b07cba46 |
| SHA256 | fa6b49731c66b9a25a2b8e2bf05e2adc22cf6e0ce9d43b27f05071a7b89eaac7 |
| SHA512 | f773be2e39fffe5f612bc688fce3528228a8b1e0dd0ec43f2760e0ebb80070a392cd20c0b1d7c2ccd0b98a6624589a1daf4be1a7e00c4ba9cc893f219d653084 |
memory/2248-6-0x00000000003B0000-0x00000000003ED000-memory.dmp
memory/2876-10-0x0000000000CC0000-0x0000000000CFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 738257222c3a75b45038af74dab702e2 |
| SHA1 | 0000e6b5af00c950395b6d6cfff505ed8fba236c |
| SHA256 | 40a19efc33e90526bd8a093845b0dff43c8a2670b121d1f1f683a180eb210da2 |
| SHA512 | f2b21f6cd7a05dcb50a3bce04374d27c41182221affd385c8dba1f7ec91da51eaaf84e04ecd57d699d81cc8e84e8d1f19881e274647b9463553c38ad6dc98714 |
memory/2248-18-0x0000000000820000-0x000000000085D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7295fb9368a0ef278de4b9755bf9fa1b |
| SHA1 | db5fa220d77ed7824ae0a4f822e0ce46010a5d77 |
| SHA256 | dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98 |
| SHA512 | dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a |
memory/2876-21-0x0000000000CC0000-0x0000000000CFD000-memory.dmp
memory/2876-22-0x0000000000CC0000-0x0000000000CFD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 15:35
Reported
2024-10-12 15:38
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
97s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2288 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2288 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2288 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2288 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2288 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2288 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/2288-0-0x0000000000190000-0x00000000001CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 3c1baefee080fe75cf9082f87894a318 |
| SHA1 | 6b36a08b3a8bdffba4b0b4d445ee084d5555a3b7 |
| SHA256 | 2b019042495a6bb8e78ce37487b7436883a69ee5c787e62c53173d34fe823c44 |
| SHA512 | 27c939e14c30002e7a692b5e714cb54e7a0a26ac89165628189121ca9479b665e20df71bea7486e9474a499f7064cd10ad9f0d0573f76fd107ad54d5f3d979d0 |
memory/1352-10-0x00000000002C0000-0x00000000002FD000-memory.dmp
memory/2288-14-0x0000000000190000-0x00000000001CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 738257222c3a75b45038af74dab702e2 |
| SHA1 | 0000e6b5af00c950395b6d6cfff505ed8fba236c |
| SHA256 | 40a19efc33e90526bd8a093845b0dff43c8a2670b121d1f1f683a180eb210da2 |
| SHA512 | f2b21f6cd7a05dcb50a3bce04374d27c41182221affd385c8dba1f7ec91da51eaaf84e04ecd57d699d81cc8e84e8d1f19881e274647b9463553c38ad6dc98714 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7295fb9368a0ef278de4b9755bf9fa1b |
| SHA1 | db5fa220d77ed7824ae0a4f822e0ce46010a5d77 |
| SHA256 | dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98 |
| SHA512 | dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a |
memory/1352-17-0x00000000002C0000-0x00000000002FD000-memory.dmp
memory/1352-18-0x00000000002C0000-0x00000000002FD000-memory.dmp