Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 18:19
Behavioral task
behavioral1
Sample
86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
86eb86d30513d4bb471a89dcb92dd60a
-
SHA1
56796ad5c76efc1d9dcb0ce78a4c52d6afaa740a
-
SHA256
a3332c4b6aa27c2f7ffc1668e880022f705d219a9d8ef3d4fcee24e243e145c2
-
SHA512
168a79da715234581ab76d3cc0db22d8e43dc9aa9e5581104dccf432106e866ea3a2fad6d92eba2c0f136228c0a7cd7a5e2aad6f59920deff75a140ff1b22288
-
SSDEEP
12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YX:tcykpY5852j6aJGl5cqB4
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 1648 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 332 kuwub.exe 2864 qienpi.exe 2468 lyzio.exe -
Loads dropped DLL 5 IoCs
pid Process 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 332 kuwub.exe 332 kuwub.exe 2864 qienpi.exe -
resource yara_rule behavioral1/files/0x0009000000016644-40.dat upx behavioral1/memory/2468-46-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/2468-58-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lyzio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kuwub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qienpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe 2468 lyzio.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3008 wrote to memory of 332 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 30 PID 3008 wrote to memory of 332 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 30 PID 3008 wrote to memory of 332 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 30 PID 3008 wrote to memory of 332 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1648 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 31 PID 3008 wrote to memory of 1648 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 31 PID 3008 wrote to memory of 1648 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 31 PID 3008 wrote to memory of 1648 3008 86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe 31 PID 332 wrote to memory of 2864 332 kuwub.exe 33 PID 332 wrote to memory of 2864 332 kuwub.exe 33 PID 332 wrote to memory of 2864 332 kuwub.exe 33 PID 332 wrote to memory of 2864 332 kuwub.exe 33 PID 2864 wrote to memory of 2468 2864 qienpi.exe 35 PID 2864 wrote to memory of 2468 2864 qienpi.exe 35 PID 2864 wrote to memory of 2468 2864 qienpi.exe 35 PID 2864 wrote to memory of 2468 2864 qienpi.exe 35 PID 2864 wrote to memory of 2776 2864 qienpi.exe 36 PID 2864 wrote to memory of 2776 2864 qienpi.exe 36 PID 2864 wrote to memory of 2776 2864 qienpi.exe 36 PID 2864 wrote to memory of 2776 2864 qienpi.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\kuwub.exe"C:\Users\Admin\AppData\Local\Temp\kuwub.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\qienpi.exe"C:\Users\Admin\AppData\Local\Temp\qienpi.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\lyzio.exe"C:\Users\Admin\AppData\Local\Temp\lyzio.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5610d610eaa1596086538b05ab6d40a9c
SHA15417cc67b8478a7af177c30fcb45f5ad792c6f83
SHA256c144198cb19712b1df4006fa7b5324068fc6b4a9b875b63e79584d2c1b5585a2
SHA5129bdd492abbe5d803231f1646fc24460db2c02433eb65de9e460bab426dfb125367a9e9d4e20764d4128caf1c63d5111b6ced2aee8e5b75ee72631e1f3ca5205e
-
Filesize
224B
MD5c746a45a01e7ec649f583035a7e479a0
SHA19bd498d4f5f25fcbf7ead3240e85715aa309dfcd
SHA256000c087007c31a7ead7d2b1b163d6312a19cfbd1a999d86a3f0f55898aea586b
SHA512ecf6f0700fdd2229f983bb9829073f8ff18abd88442df4b5f5e07f82c028a80b2812b930d4dc830ec01153db7a34bcc661e9e05453a2514b9c100fcb82f6add6
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD57ce735b383016175b26d745bf354749e
SHA153f2cf3297741736ccf2e50f17380ebaab34ea4d
SHA2560d36eca0f3145a6d83b4fa3c1258d45c845ac6ef6e7fa585877636d2871f7e43
SHA512c07cbd7f7802df14069753edc2119a9bf53e6bd4d722bd4c7c9c01d0cb9d7f0dc471f9d1c18dac983739a3f54c8fa3bc70d98c2aab25759ba4c1187a00f005bc
-
Filesize
1.1MB
MD5e08781b8f677ea5eb85b4d7bc7328634
SHA1576643cfa4403174fc258804db13b0fcc8f8b184
SHA256146e8b0ec9e2a580d81eeb03c55a5d82ba8253b183c1380bd3046761f4dc4003
SHA5121840c06bb524cf7d2d5b5500eede6c9b3b9209d34189bc213eb4b903c702e6f978deaf269fabd433110858811c17654bf76124560e1578f86ba6cace25689137
-
Filesize
459KB
MD55b3e48f8c1fcecf5cc34d06ad22b7ada
SHA1a6ecb53b2cd605266978267fed2ae9ecc29eb290
SHA2563cf53d5b0743133e938c936b5d91d2b4a6f99e4a39869baf5670e1e54732d2aa
SHA512282389a51425108a549b3ba74d2e2f42bb756fe61eb9bd3b646fab2b187c273c41ca060837010c61893bd83ef353a8651f80f4a708808806e587bd370b294bd2