Analysis Overview
SHA256
6b934a97b76614df78dca5686339f043c7e9432e5c4025fa2a074babeae9ea1f
Threat Level: Known bad
The file 3d8d6c2e78226669d4e8826b02690837_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 03:29
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 03:29
Reported
2024-10-13 03:32
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2844-0-0x0000000000400000-0x0000000000437000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 6e7145977553624d9015523fa2676b00 |
| SHA1 | 91cc35b73dd441cff3fdc857174f9b470173c2e6 |
| SHA256 | bbca1f188a1e10b2579652cf8c190664bf8e2ba7e24cb41c3a4069f045c0db48 |
| SHA512 | 8668444c0639907a4ac3377d28232260f07d94dc5deeca39cfb464961ee12310043607ef271211958dbc008d04351bed05627a98f61c47cbba1330c5bb2b4fe0 |
memory/2844-10-0x0000000001FA0000-0x0000000001FD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d6fc485da67447a6a433c9f45b2cb3a4 |
| SHA1 | 8b93b3a46b4d0dcd481189bf805ef287751160df |
| SHA256 | 9cf653b00012f9dbd8b2f9bc6bc5ec6cf54a005cfc3353f16c68420d2054ee72 |
| SHA512 | 28117efb653935c50f8ba55de4b74a8faf9e24dbadc1f67ee26b4d1cbf2629b5d2fbd3025a9e5cac03b79151c9584b658960385c65612857ac340f9567f4b940 |
memory/2844-17-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 02167b944a214fee3d34f9a7e356dc6a |
| SHA1 | ca5b3f38a7151268726401593eb35f9b67bdde97 |
| SHA256 | 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d |
| SHA512 | c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817 |
memory/2428-20-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2428-21-0x0000000000400000-0x0000000000437000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 03:29
Reported
2024-10-13 03:32
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3048 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3048 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3048 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3048 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3048 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d8d6c2e78226669d4e8826b02690837_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3048-0-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 1beea0de3234461583c10321912799ef |
| SHA1 | bf4aa19b64d146065b8c2b14dedc188211e2c599 |
| SHA256 | fb3310b46f13e8afe84db06e9301bf08b93f579088974222728c2704e7c82375 |
| SHA512 | e08c20600cac180a614e0eed2ae7ed97d5f891a2d3fb3b029f1ff9a7d666cca60686c88e10b2dcf16e819476bfe6c55ef41d48cd0f7b9aec5bb5c3ca53b28fd4 |
memory/3048-16-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d6fc485da67447a6a433c9f45b2cb3a4 |
| SHA1 | 8b93b3a46b4d0dcd481189bf805ef287751160df |
| SHA256 | 9cf653b00012f9dbd8b2f9bc6bc5ec6cf54a005cfc3353f16c68420d2054ee72 |
| SHA512 | 28117efb653935c50f8ba55de4b74a8faf9e24dbadc1f67ee26b4d1cbf2629b5d2fbd3025a9e5cac03b79151c9584b658960385c65612857ac340f9567f4b940 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 02167b944a214fee3d34f9a7e356dc6a |
| SHA1 | ca5b3f38a7151268726401593eb35f9b67bdde97 |
| SHA256 | 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d |
| SHA512 | c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817 |
memory/2904-19-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2904-20-0x0000000000400000-0x0000000000437000-memory.dmp