Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2024, 20:17
Behavioral task
behavioral1
Sample
7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe
-
Size
446KB
-
MD5
7aadedf28a0c97b73a5660070007e6ee
-
SHA1
13fe0ec7a22dd98971f1956cb0c561e57a9e53e1
-
SHA256
6012b35fc58f6154d0ecc00c1e56db0aba850cb6ddef2679c1763fc20fc6b289
-
SHA512
6e521042f13307817200b638ee0d108e63fc8fa7326f5cb22acdf4bcb0bb5ed368898759713a0f94f6fbeaf25f3d2df3d37abaada0176b2b539d54e4da880275
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpo0:PMpASIcWYx2U6hAJQn4
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation qyylm.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ersyvu.exe -
Executes dropped EXE 3 IoCs
pid Process 1584 qyylm.exe 624 ersyvu.exe 2704 idhiu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qyylm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ersyvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language idhiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe 2704 idhiu.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1584 1748 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe 85 PID 1748 wrote to memory of 1584 1748 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe 85 PID 1748 wrote to memory of 1584 1748 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe 85 PID 1748 wrote to memory of 1784 1748 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe 86 PID 1748 wrote to memory of 1784 1748 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe 86 PID 1748 wrote to memory of 1784 1748 7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe 86 PID 1584 wrote to memory of 624 1584 qyylm.exe 88 PID 1584 wrote to memory of 624 1584 qyylm.exe 88 PID 1584 wrote to memory of 624 1584 qyylm.exe 88 PID 624 wrote to memory of 2704 624 ersyvu.exe 106 PID 624 wrote to memory of 2704 624 ersyvu.exe 106 PID 624 wrote to memory of 2704 624 ersyvu.exe 106 PID 624 wrote to memory of 2400 624 ersyvu.exe 107 PID 624 wrote to memory of 2400 624 ersyvu.exe 107 PID 624 wrote to memory of 2400 624 ersyvu.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\qyylm.exe"C:\Users\Admin\AppData\Local\Temp\qyylm.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\ersyvu.exe"C:\Users\Admin\AppData\Local\Temp\ersyvu.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\idhiu.exe"C:\Users\Admin\AppData\Local\Temp\idhiu.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD51f7c14360e422a9f52723088aaa25bd9
SHA12ecb0df234dd791de0b3afc1e46e2980dd28d91e
SHA2568ad634d18e464fc8065761e41e88682568dd846fecf4f8a463ae5d2bcf39c523
SHA5121dba507c840eeb3f75438ce3eab540d876eab393e5f6ba8ce91a986c6f3b32921f103296dbc097d848cf2d3362c97eeb380d63c5c7fbb84469e7741554e43fd5
-
Filesize
224B
MD5e8c599366bc1b038723da8282a3f54b6
SHA1c5ea1f0e4a9c60a248d66fcc7c76cf625fbec38b
SHA256029748ce35c14dce258ab89338718beee7239c35f271d2f766bc9ddc909e571e
SHA5125965f18c787418ab06cea0630199c0b3606b4c995cec92de676a82e791ac7f239ebc3694843fa83d465b7d8eb9ea9e9db86c00810cdb2bc0233a7a7764a01d96
-
Filesize
447KB
MD52b0a833df918a2b9b6d843a57b8f7f2c
SHA1d3c1fbf913fd08ee856f3dab8e9e8a5ccbc6a6ba
SHA2563196b6c79cbd277758ab116af2c8ae5d5fc14a1ba5f395352ef5aa70c16dc1b8
SHA512885c1c2f45b20ce69db53212fe71be77c3c73c446558945bd5ed5c79182204451cf63cece80e7ecbe4c72fa9239b9aa9dc03d1988d41d11dbcd3a03251c765cc
-
Filesize
512B
MD57005339ddcae6bcbae1b95d5bc87f313
SHA1c774c7f3b977dc05808d0803bb040ed86802880a
SHA25618d50ea43d5c204ed4b0130edea2a6b67ee1d3c76c252edd44e03cb8e323d9ab
SHA5121edbd2b3ea45e52e329ebdbe6ea293087b96d6f7303bb3e247a776ad034930f5c2b696e823a66bbd82be0979ad61f2ed6e1cbbc04716293b9d6abe74ce2414c2
-
Filesize
223KB
MD5bf98ae1cadc6b4d1a40cc778eccbc107
SHA1542b1af6e675f1ef7db03d6f7be2053d85653240
SHA256a4c754ab2fc45976aae7f0275745993c50b42c08e49b0f4196470a9e3fe04077
SHA5127acaafb6dd0143f171cccde1ea26821114a993af4cd91553c9294aba7c75dfc52cd534961ddecc9e5f26c4e420f10de65ece72034bfe20ba7671bab57f8249a2
-
Filesize
447KB
MD5e19fa24c5be337b0dee4a6527550cb44
SHA1627695a6ddec73443a4f6e3a935fb3c962742b63
SHA256547e842023c503435d058fcd9893302ebdcea0392c6727ad4aff4ee9714221b7
SHA512d8dfc7f2997b6098f303c8307e794f09e0b489b18fcf5ea4050f3ff9c1bb85d1a28c4dbea473d4c3b9591446eca2fe1b55fae249871fd3f7a8d4089234acdc1a