Malware Analysis Report

2024-11-16 13:25

Sample ID 241013-d2ewmaxbme
Target 3d8d6c2e78226669d4e8826b02690837_JaffaCakes118
SHA256 6b934a97b76614df78dca5686339f043c7e9432e5c4025fa2a074babeae9ea1f
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b934a97b76614df78dca5686339f043c7e9432e5c4025fa2a074babeae9ea1f

Threat Level: Known bad

The file 3d8d6c2e78226669d4e8826b02690837_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 03:29

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 03:29

Reported

2024-10-13 03:32

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2844-0-0x0000000000400000-0x0000000000437000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 6e7145977553624d9015523fa2676b00
SHA1 91cc35b73dd441cff3fdc857174f9b470173c2e6
SHA256 bbca1f188a1e10b2579652cf8c190664bf8e2ba7e24cb41c3a4069f045c0db48
SHA512 8668444c0639907a4ac3377d28232260f07d94dc5deeca39cfb464961ee12310043607ef271211958dbc008d04351bed05627a98f61c47cbba1330c5bb2b4fe0

memory/2844-10-0x0000000001FA0000-0x0000000001FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d6fc485da67447a6a433c9f45b2cb3a4
SHA1 8b93b3a46b4d0dcd481189bf805ef287751160df
SHA256 9cf653b00012f9dbd8b2f9bc6bc5ec6cf54a005cfc3353f16c68420d2054ee72
SHA512 28117efb653935c50f8ba55de4b74a8faf9e24dbadc1f67ee26b4d1cbf2629b5d2fbd3025a9e5cac03b79151c9584b658960385c65612857ac340f9567f4b940

memory/2844-17-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/2428-20-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2428-21-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 03:29

Reported

2024-10-13 03:32

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3048-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 1beea0de3234461583c10321912799ef
SHA1 bf4aa19b64d146065b8c2b14dedc188211e2c599
SHA256 fb3310b46f13e8afe84db06e9301bf08b93f579088974222728c2704e7c82375
SHA512 e08c20600cac180a614e0eed2ae7ed97d5f891a2d3fb3b029f1ff9a7d666cca60686c88e10b2dcf16e819476bfe6c55ef41d48cd0f7b9aec5bb5c3ca53b28fd4

memory/3048-16-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d6fc485da67447a6a433c9f45b2cb3a4
SHA1 8b93b3a46b4d0dcd481189bf805ef287751160df
SHA256 9cf653b00012f9dbd8b2f9bc6bc5ec6cf54a005cfc3353f16c68420d2054ee72
SHA512 28117efb653935c50f8ba55de4b74a8faf9e24dbadc1f67ee26b4d1cbf2629b5d2fbd3025a9e5cac03b79151c9584b658960385c65612857ac340f9567f4b940

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/2904-19-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2904-20-0x0000000000400000-0x0000000000437000-memory.dmp