Analysis Overview
SHA256
aadaa8a794e656859ccb247ae5dc46a66920225db288f53237d8f3b2818db76a
Threat Level: Known bad
The file 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 20:08
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 20:08
Reported
2024-10-13 20:11
Platform
win7-20241010-en
Max time kernel
150s
Max time network
81s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gidij.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opvyci.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cywul.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gidij.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opvyci.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gidij.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\opvyci.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cywul.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\gidij.exe
"C:\Users\Admin\AppData\Local\Temp\gidij.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\opvyci.exe
"C:\Users\Admin\AppData\Local\Temp\opvyci.exe" OK
C:\Users\Admin\AppData\Local\Temp\cywul.exe
"C:\Users\Admin\AppData\Local\Temp\cywul.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2248-0-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\gidij.exe
| MD5 | 5a403cd23db801757e12b6ee21cd4e89 |
| SHA1 | be3bbbd74fa4686a6c83461af37f5342730299dd |
| SHA256 | 318c2097cfe0efa17dda1105b28777628bab4b48d345cdde1d58d3ffd65c4ecb |
| SHA512 | c48046b3db36d493c1d76af87ca2a34ba85927c684f1ab9291691fe45ec384e9cecb06f82b4a8b9fbde1dcc3cadcbeea6055900d4c07f1123a67666eb9dd6b82 |
memory/2248-9-0x0000000002470000-0x00000000024DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b79034f85d28b26913139a6bfef20d53 |
| SHA1 | 72cf006e53854d0fe107fa70b0a69f8f799c2709 |
| SHA256 | 545185129fd6e7c6cded59fd821b9d37829f2fe0a80a73152fe2dbf6fceccbe3 |
| SHA512 | be83ec704277faaefcb13b5265276601f7fa7781d4d0ad0a8adfff9d65a358eeb0736565afdfd48b87781994054aebbd4fbd396ad335d5e8b1a68e29c0dc7a9a |
C:\Users\Admin\AppData\Local\Temp\opvyci.exe
| MD5 | 37ee9df03c2c4b70fa8c849696d0e766 |
| SHA1 | 91ad3a8db6327d88b1923076e00153f8cb80c8b2 |
| SHA256 | 4babf12cac8700a1215d0769b571cc6dafe89d504e80581d47535e34065853d6 |
| SHA512 | e9ae62c3c7b7ac6ce3911c3103315518a5bd8147ed18bc5f2b76bc72ddae978bed0491bfe2b39496fa44abc90826127bd40c37570acb09be026bad3459f584c4 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ef2b73166547b3fe2fef0e29b39daa45 |
| SHA1 | b08caa3a47057cd651723bfe72b77a936a7cce76 |
| SHA256 | ab80161a544631984b272ae21f52017e036866ec599eb85d295ed54eea8798d6 |
| SHA512 | cfa240597d2c6e3f11cab625b8b70b7eac6502764e19fa82995ada1b9631a9e64026369c73943fe08cebd16d096f6271bd03b55609b4e1b661aaf725b36292ca |
memory/2248-20-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3012-27-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2876-26-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3012-29-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\cywul.exe
| MD5 | 071f5b27eec863360612ff7cd7125af9 |
| SHA1 | d1603ab9cc0bab3e8b1e1f763bf117dc5a90816e |
| SHA256 | b5d03935d6b66e532ed28953908c061af8aec503546ed368fd363a82a7a07758 |
| SHA512 | 215e8452b2c38eca7d7dd854b58ff77da9d1637523f56e473d428a53f7ebd34cf24e92b40ad1b9e5ccec2f78a1553a3409c2790f50f8e13b0925c3071f1ead9c |
memory/2700-46-0x0000000000F70000-0x0000000001010000-memory.dmp
memory/3012-45-0x0000000003280000-0x0000000003320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 4d64dc876ce23798882f1552c0d892d5 |
| SHA1 | e46cdf174e708f6fc95412f613c720f007861128 |
| SHA256 | 33a6c604042fe7b2539e18c0b94c0dd5f85bc4260c69cbc274807efbc7786863 |
| SHA512 | db4175826c42b7f5031b81586d1b085402cd8ddc76945e35a9256926f3efbabceaccdf16b9c6d90897ce833ab19756934a3f26507d355ce6c9124950f19234ac |
memory/3012-44-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2700-50-0x0000000000F70000-0x0000000001010000-memory.dmp
memory/2700-51-0x0000000000F70000-0x0000000001010000-memory.dmp
memory/2700-52-0x0000000000F70000-0x0000000001010000-memory.dmp
memory/2700-53-0x0000000000F70000-0x0000000001010000-memory.dmp
memory/2700-54-0x0000000000F70000-0x0000000001010000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 20:08
Reported
2024-10-13 20:11
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vehau.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\funewo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vehau.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\funewo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\seumq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\funewo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\seumq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vehau.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vehau.exe
"C:\Users\Admin\AppData\Local\Temp\vehau.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\funewo.exe
"C:\Users\Admin\AppData\Local\Temp\funewo.exe" OK
C:\Users\Admin\AppData\Local\Temp\seumq.exe
"C:\Users\Admin\AppData\Local\Temp\seumq.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4764-0-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vehau.exe
| MD5 | e5d20c07e3ea1c02d178ca6c69215484 |
| SHA1 | 4317a5c87046171597a9a5b55fb453d83b8df2f6 |
| SHA256 | 0da9e0b72e79ca28da94598f506878a2d125a9c04f8ed1700f802d95cad1d885 |
| SHA512 | 383c3b4802f764936d3f08d0fe9cca8c60d1fa24084d458db6806a6c81f1c92530714623dd3a282d2e65e673dbf8887cf9c30d4d77e3128438045df82712ea4e |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cdf6792a15de4018eb0a5d57d5441877 |
| SHA1 | a8544b3869df1389fbf14d688bc5229cb7cfdc71 |
| SHA256 | 1f01d1787227020114773cea640a287f82836f159931f61bfbdc68bfe9ceaa18 |
| SHA512 | 921173f95d427afcffe33a4e7df58beb6ad9dc16f84957add4d5126d234ad6769d8601f24acf7b3625ebfbafa23c3adb330a26ee12ca074c6110e530f2cc9c62 |
memory/976-14-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4764-16-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ef2b73166547b3fe2fef0e29b39daa45 |
| SHA1 | b08caa3a47057cd651723bfe72b77a936a7cce76 |
| SHA256 | ab80161a544631984b272ae21f52017e036866ec599eb85d295ed54eea8798d6 |
| SHA512 | cfa240597d2c6e3f11cab625b8b70b7eac6502764e19fa82995ada1b9631a9e64026369c73943fe08cebd16d096f6271bd03b55609b4e1b661aaf725b36292ca |
C:\Users\Admin\AppData\Local\Temp\funewo.exe
| MD5 | 6255360ba18ce7ac9c8491ba04bb50b3 |
| SHA1 | 65cbd531c7ec3605ecead27db7a9ef4715267916 |
| SHA256 | 99e84e2275775e89dd93ecaa105c8c40b3789e8c806966fcb79755944a3f3ba2 |
| SHA512 | 999ccf4ee76f51c9b52030d34e62a34ad679eda648fb2361a5a1bf28937bd47039308a6170a2651d07a69747e00c500324c7b64b7156a356f1f6ebaf89bd7606 |
memory/976-24-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1956-26-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\seumq.exe
| MD5 | c6de1ed20163655825a4294c923f0244 |
| SHA1 | 3d47ac1f440a7bf5e86614f0e3ade5aeacca2b42 |
| SHA256 | b63e405794c2098751362e7b57a2b62ba11d68b6af739c45e44c927d1e081ff0 |
| SHA512 | 53c19b24d0f1a39874101c7aab0da41abdc9b0cbbd575377bb33006c6f917587feeb46358a9d59df431b507f0018633fd32df281aa33f305c07ba05e7e5cf0d6 |
memory/2316-37-0x00000000008F0000-0x0000000000990000-memory.dmp
memory/1956-40-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c712a9cf99dce76c14302cffe2df2af8 |
| SHA1 | 2f8b0a922144dfeeb57699c83572a2c905312231 |
| SHA256 | fedc35d98d5156a129e629f79644d2bddda7b2ac678f979b76fd42b1207d8d41 |
| SHA512 | 8fca0d66c06a28a4a240799642130c74b4da8a958cd3edadeacbea03a3d501edce977cb0c3785f2237f867caa2a4bfd0bf578931e87bd3814aca4cfb3a49be17 |
memory/2316-42-0x00000000008F0000-0x0000000000990000-memory.dmp
memory/2316-43-0x00000000008F0000-0x0000000000990000-memory.dmp
memory/2316-44-0x00000000008F0000-0x0000000000990000-memory.dmp
memory/2316-45-0x00000000008F0000-0x0000000000990000-memory.dmp
memory/2316-46-0x00000000008F0000-0x0000000000990000-memory.dmp