Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 01:34
Behavioral task
behavioral1
Sample
88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe
-
Size
535KB
-
MD5
88fc65aabc5e0d85ac7b4492ce91c25d
-
SHA1
f755aaa79828da46f919166ae7d3a704c265abfc
-
SHA256
549fea1b9113b1e41724bda53f2c04cbc49615cbbb4ba2f01b7f66f2f4755342
-
SHA512
1ca51aa833817000b291f6a167d0b41ff328e966875fbd9f137de92da51280e38de13cbe9e90e976a64dd287e2a6a6a04afbd38812d4e9a5bb1d46e5411f0236
-
SSDEEP
12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2z:cLjQC+bs0YOz
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2340 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2092 vohil.exe 2508 abhei.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 2092 vohil.exe -
resource yara_rule behavioral1/memory/3064-0-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/files/0x0009000000015d2a-4.dat upx behavioral1/memory/3064-17-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2092-20-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2092-28-0x0000000000400000-0x000000000048B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vohil.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe 2508 abhei.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2092 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2092 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2092 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2092 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2340 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2340 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2340 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2340 3064 88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe 31 PID 2092 wrote to memory of 2508 2092 vohil.exe 34 PID 2092 wrote to memory of 2508 2092 vohil.exe 34 PID 2092 wrote to memory of 2508 2092 vohil.exe 34 PID 2092 wrote to memory of 2508 2092 vohil.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\vohil.exe"C:\Users\Admin\AppData\Local\Temp\vohil.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\abhei.exe"C:\Users\Admin\AppData\Local\Temp\abhei.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD536ff90a90ce8d32ae0b507c90d3b7673
SHA1e906f49a6ef42f72480425f748f7ddc5c86cfe3d
SHA256646876c4a838e696a28120506ae1f2e91e1838ba87240cd2efd5040e7e917ceb
SHA5129d38c1f066d82cf322ae054caad20c4b019eb12f0cdd2ceafbd88b530d4205f6c10e22a7cf89a54e7efea7d7ce25735db4a8daa3d5ad4e5086c0749e09ccc2c9
-
Filesize
512B
MD52cfafb0ded3b6af4143bf08b42c78278
SHA1457aee28a15c624c3a8a085ea4a3b3397d63c1bb
SHA2560faba57ebed8a25959aa40c9e4a312d1ea06d03786576b4106a981bded175b10
SHA512e5674a05cf7e68f91cbe7eda06300eba54f887e5969cc2fbc1473304bb1428ac02eb8509dbc12cdb8611ba3b77078f0b3d6fd79fc22e1e7e9466305cc88f25d5
-
Filesize
241KB
MD5ddf0e2b0c6d99d11f59de3ab65e96b23
SHA1576252d21fc2ea7b08fcd3093321b06c3ed8bac7
SHA256d5c2a202f88bba1c3937157ef520677448a8163c3ac29ff5d67bda2ff4ee74c5
SHA5123c7582f23a680eea6cce0fb9307e422979d189aa6b46d9d0d2a5b03ce0c7b74cdd34227dd8bad5b65dc3376b2a4467a1394d0e91374b370713e5c583cac8edd5
-
Filesize
535KB
MD532b296edab7f37fbe4ea3c7ae1969a64
SHA1b538ec4b6770acdf581b4194b53ce271667a21b7
SHA25645ebf291a9c0ab3353b61d7c1f87b2ebec365d58884913d4489c0f05c27ecb1a
SHA5123ff85f7a1a72ab791b23b060313688e05be2403952a75e87de3ff1a188644d9a516eecb3cf24234e39c9b7696a01102664df786c63ea7ff07d74831d3ef876d6