Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 23:48
Behavioral task
behavioral1
Sample
cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
-
Size
517KB
-
MD5
cfa5620c309466a0e1df45188c09e3f4
-
SHA1
f80f69c798695a8460fd701a8e5819dea02b5d75
-
SHA256
4e51ae51b6b04aef6bfead49ef8da26e5387fc159cb07e4139c10b7b2d734afc
-
SHA512
4d493fd5524877e70a0b39657ba0d67ca547e1d65f5d3a5fdfc3cb09a420799e7ffc3036577bac30e0c377a48142e694b804c9b8353e3810ce5824b79f24ea78
-
SSDEEP
12288:AyPHijVSuJqu4kwaeDPvjJ81VGqK6GvPR:AuCTq4waor+Gnp
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2344 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2452 koguf.exe 2484 quuco.exe -
Loads dropped DLL 2 IoCs
pid Process 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 2452 koguf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language koguf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quuco.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe 2484 quuco.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2452 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2452 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2452 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2452 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2344 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 31 PID 2708 wrote to memory of 2344 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 31 PID 2708 wrote to memory of 2344 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 31 PID 2708 wrote to memory of 2344 2708 cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe 31 PID 2452 wrote to memory of 2484 2452 koguf.exe 34 PID 2452 wrote to memory of 2484 2452 koguf.exe 34 PID 2452 wrote to memory of 2484 2452 koguf.exe 34 PID 2452 wrote to memory of 2484 2452 koguf.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\koguf.exe"C:\Users\Admin\AppData\Local\Temp\koguf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\quuco.exe"C:\Users\Admin\AppData\Local\Temp\quuco.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5aa74e2a5642ffe3007dd0a8b79b1cb7b
SHA11f2fd6489c9b9b0d6572c8fdbb561e728027b8ff
SHA2564be865ab667c5daedc4c8a6402c0bc6182fbba19e57c34f5f8cff600bbad7c54
SHA512df20335b5afd5a960a2fa6f417d32d04f577486e419f6f6b71762393eaeec1711d239f928f7071de78b0004eae7581d5053c57d978a8b8bf7ee342261f6748a9
-
Filesize
512B
MD5ea6fcc6d87e0445e3784f3f08e2a8b77
SHA1f741ff7eab1ee2c6c3e9b60681b52a97f67c6a8b
SHA256c41f34599196c9b413749a63331109c5d26b90413f84637c0b4521753fc64d36
SHA512d4ece6ef50a371666c728d7390f9b1110fd0554598a65bc316ed3ef08d54c39a1314facc914399d2177c418c49c0606c89a26fe68d657f18984bd63d9f3c0336
-
Filesize
517KB
MD5ba04e1931032ced4b5635cf29b73b6b6
SHA19e7d527227f6dfc26c0da8c497daf3566d21ee4e
SHA25613bb06d5557c5d99b3fc01773477dd377a0c216a34a8c8763bfdbbb5e1167dc8
SHA51224805222d9fc1cfabfcbfb1f15c16bb000a27dc247ba23b1b9a2a70e594f945434bd90352d0338513943a7659f02ce88fec31de66ea804344756d7d1a186891e
-
Filesize
517KB
MD59576ab0705f8685039649fd52105e26b
SHA1bc5d18e75c9948491ed69b14b0c154a354ac0936
SHA2567a10c0fe1efeeb2e0c5fa42a35a775d96ceba7a33a7387dc4bd5b353e8639360
SHA512b5bf6edbb1ea312149e4310fd7230741285c0708161aec47c7f7e808f178a7e9aa2573301ae72d958399f4922c24887fcf02223e6a7242dc1648f34720296975
-
Filesize
179KB
MD5f9861446ce19cb41604a769229108361
SHA1ad7ccaa220d4a569a5f3ee7df90c5cb6c84b7d8d
SHA25675db306c652c02154d6ab2f3f6dafb5358ab74b30a4aeb225bacba8bb5498989
SHA512c3ce458094b59fff476a03366104e5b8ad12b800f3d426f03dcb37363f65e154f6eca2584f272fb2e119c8a8b83d84d6db795cdff386e0f1ca77e4794890d895